Edit tour

Windows Analysis Report
GGP_DOCUMENTO CITACION AUDIENCIA_GGP.svg

Overview

General Information

Sample name:	GGP_DOCUMENTO CITACION AUDIENCIA_GGP.svg
Analysis ID:	1631826
MD5:	355a8bc87e45beb3b0bf2befb5ce105c
SHA1:	e068409e1de831a56bf5ccf6d9c257d24f16a3fe
SHA256:	784d72496c99a019647f0866f55537b25d706df7262bd230cb89d58e39e03eb3
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected DcRat

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Disable Windows Toast Notifications

Downloads suspicious files via Chrome

Drops password protected ZIP file

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTML page contains hidden javascript code

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6800 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\GGP_DO~1.SVG MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1980,i,16360163992895380540,2877974460578698395,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

rundll32.exe (PID: 4112 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

1DOC-PROCESO-PDF.exe (PID: 3544 cmdline: "C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe" MD5: FD3C8166E7FBBB64D12C1170B8F4BACF)

conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AddInProcess32.exe (PID: 4756 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

InstallUtil.exe (PID: 3208 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "dcgack.duckdns.org", "Ports": "35440", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "7JTFlu4wpeHr2tvaMGSmxJn38IjIYcfH", "Mutex": "DcRatMutex_qwqdanFrhG", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "iQE9bFuUs//WQsF7+z/n4rGd9y7m/pYT3ctBbSN+BYXijNw7oUBjdcn95lswYvpp0G2rM9Ivnu+MGVEZdpeMP0101eoAinHP6iQHuVW5uZvOTsvGpFnD/49/gyfjZHnk7fapF4HSk/6ReBmhRuig1dkxaBE3Lh1F2YzB4nTcQDU=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x171f0b9:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.2349982723.000000000333D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000010.00000002.2349982723.000000000333D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x2c10:$b2: DcRat By qwqdanchun1 0x7a34:$b2: DcRat By qwqdanchun1 0x7c74:$b2: DcRat By qwqdanchun1
00000010.00000002.2348737511.000000000142E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x19ffc:$b2: DcRat By qwqdanchun1 0x3dbd4:$b2: DcRat By qwqdanchun1 0x3e620:$b2: DcRat By qwqdanchun1
00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63fb:$a1: havecamera 0x98ec:$a2: timeout 3 > NUL 0x990c:$a3: START "" " 0x9797:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x984c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000010.00000002.2349982723.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x3ab8:$b1: DcRatByqwqdanchun 0x19354:$b2: DcRat By qwqdanchun1
0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x6bfe8:$a1: havecamera 0x1a235c:$a1: havecamera 0x1ae30b:$a1: havecamera 0x6f4d9:$a2: timeout 3 > NUL 0x1a584d:$a2: timeout 3 > NUL 0x1b17fc:$a2: timeout 3 > NUL 0x6f4f9:$a3: START "" " 0x1a586d:$a3: START "" " 0x1b181c:$a3: START "" " 0x6f384:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x1a56f8:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x1b16a7:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x6f439:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x1a57ad:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x1b175c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
Process Memory Space: 1DOC-PROCESO-PDF.exe PID: 3544	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 1DOC-PROCESO-PDF.exe PID: 3544	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x7fdf6:$a1: havecamera 0x849d9:$b1: DcRatByqwqdanchun
Process Memory Space: InstallUtil.exe PID: 3208	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 3208	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: InstallUtil.exe PID: 3208	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x41e0f:$a1: havecamera 0x4b7d:$b1: DcRatByqwqdanchun 0x469f2:$b1: DcRatByqwqdanchun 0x2022:$b2: DcRat By qwqdanchun1 0x8717:$b2: DcRat By qwqdanchun1 0x218fb:$b2: DcRat By qwqdanchun1
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x47fb:$a1: havecamera 0x7cec:$a2: timeout 3 > NUL 0x7d0c:$a3: START "" " 0x7b97:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x7c4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x47fb:$a1: havecamera 0x7cec:$a2: timeout 3 > NUL 0x7d0c:$a3: START "" " 0x7b97:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x7c4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x8346:$str01: DcRatByqwqdanchun 0x7c4c:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x7a08:$str03: Po_ng 0x79de:$str04: Pac_ket 0x80ea:$str05: Perfor_mance 0x812e:$str06: Install_ed 0x48dd:$str07: get_IsConnected 0x5236:$str08: get_ActivatePo_ng 0x5bbe:$str09: isVM_by_wim_temper 0x7a24:$str10: save_Plugin 0x7cec:$str11: timeout 3 > NUL 0x7d5e:$str12: ProcessHacker.exe 0x7ece:$str13: Select * from Win32_CacheMemory
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x8346:$str01: DcRatByqwqdanchun 0x7c4c:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x7a08:$str03: Po_ng 0x79de:$str04: Pac_ket 0x80ea:$str05: Perfor_mance 0x812e:$str06: Install_ed 0x48dd:$str07: get_IsConnected 0x5236:$str08: get_ActivatePo_ng 0x5bbe:$str09: isVM_by_wim_temper 0x7a24:$str10: save_Plugin 0x7cec:$str11: timeout 3 > NUL 0x7d5e:$str12: ProcessHacker.exe 0x7ece:$str13: Select * from Win32_CacheMemory
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7b97:$s2: L2Mgc2NodGFza3MgL2 0x7b16:$s3: QW1zaVNjYW5CdWZmZXI 0x7b64:$s4: VmlydHVhbFByb3RlY3Q
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7ece:$q1: Select * from Win32_CacheMemory 0x7f0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7faa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8346:$s1: DcRatBy
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7b97:$s2: L2Mgc2NodGFza3MgL2 0x7b16:$s3: QW1zaVNjYW5CdWZmZXI 0x7b64:$s4: VmlydHVhbFByb3RlY3Q
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7ece:$q1: Select * from Win32_CacheMemory 0x7f0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7faa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8346:$s1: DcRatBy
16.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
16.2.InstallUtil.exe.400000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9aec:$a2: timeout 3 > NUL 0x9b0c:$a3: START "" " 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
16.2.InstallUtil.exe.400000.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xa146:$str01: DcRatByqwqdanchun 0x9a4c:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x9808:$str03: Po_ng 0x97de:$str04: Pac_ket 0x9eea:$str05: Perfor_mance 0x9f2e:$str06: Install_ed 0x66dd:$str07: get_IsConnected 0x7036:$str08: get_ActivatePo_ng 0x79be:$str09: isVM_by_wim_temper 0x9824:$str10: save_Plugin 0x9aec:$str11: timeout 3 > NUL 0x9b5e:$str12: ProcessHacker.exe 0x9cce:$str13: Select * from Win32_CacheMemory
16.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9997:$s2: L2Mgc2NodGFza3MgL2 0x9916:$s3: QW1zaVNjYW5CdWZmZXI 0x9964:$s4: VmlydHVhbFByb3RlY3Q
16.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cce:$q1: Select * from Win32_CacheMemory 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
16.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa146:$s1: DcRatBy
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x47fb:$a1: havecamera 0x7cec:$a2: timeout 3 > NUL 0x7d0c:$a3: START "" " 0x7b97:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x7c4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x8346:$str01: DcRatByqwqdanchun 0x7c4c:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x7a08:$str03: Po_ng 0x79de:$str04: Pac_ket 0x80ea:$str05: Perfor_mance 0x812e:$str06: Install_ed 0x48dd:$str07: get_IsConnected 0x5236:$str08: get_ActivatePo_ng 0x5bbe:$str09: isVM_by_wim_temper 0x7a24:$str10: save_Plugin 0x7cec:$str11: timeout 3 > NUL 0x7d5e:$str12: ProcessHacker.exe 0x7ece:$str13: Select * from Win32_CacheMemory
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7b97:$s2: L2Mgc2NodGFza3MgL2 0x7b16:$s3: QW1zaVNjYW5CdWZmZXI 0x7b64:$s4: VmlydHVhbFByb3RlY3Q
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7ece:$q1: Select * from Win32_CacheMemory 0x7f0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7faa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8346:$s1: DcRatBy
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9aec:$a2: timeout 3 > NUL 0x9b0c:$a3: START "" " 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xa146:$str01: DcRatByqwqdanchun 0x9a4c:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x9808:$str03: Po_ng 0x97de:$str04: Pac_ket 0x9eea:$str05: Perfor_mance 0x9f2e:$str06: Install_ed 0x66dd:$str07: get_IsConnected 0x7036:$str08: get_ActivatePo_ng 0x79be:$str09: isVM_by_wim_temper 0x9824:$str10: save_Plugin 0x9aec:$str11: timeout 3 > NUL 0x9b5e:$str12: ProcessHacker.exe 0x9cce:$str13: Select * from Win32_CacheMemory
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9997:$s2: L2Mgc2NodGFza3MgL2 0x9916:$s3: QW1zaVNjYW5CdWZmZXI 0x9964:$s4: VmlydHVhbFByb3RlY3Q
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cce:$q1: Select * from Win32_CacheMemory 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa146:$s1: DcRatBy
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x125aa:$a1: havecamera 0x9aec:$a2: timeout 3 > NUL 0x15a9b:$a2: timeout 3 > NUL 0x9b0c:$a3: START "" " 0x15abb:$a3: START "" " 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x15946:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x159fb:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xa146:$str01: DcRatByqwqdanchun 0x160f5:$str01: DcRatByqwqdanchun 0x9a4c:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x159fb:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x9808:$str03: Po_ng 0x157b7:$str03: Po_ng 0x97de:$str04: Pac_ket 0x1578d:$str04: Pac_ket 0x9eea:$str05: Perfor_mance 0x15e99:$str05: Perfor_mance 0x9f2e:$str06: Install_ed 0x15edd:$str06: Install_ed 0x66dd:$str07: get_IsConnected 0x1268c:$str07: get_IsConnected 0x7036:$str08: get_ActivatePo_ng 0x12fe5:$str08: get_ActivatePo_ng 0x79be:$str09: isVM_by_wim_temper 0x1396d:$str09: isVM_by_wim_temper 0x9824:$str10: save_Plugin 0x157d3:$str10: save_Plugin 0x9aec:$str11: timeout 3 > NUL
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x159fb:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9997:$s2: L2Mgc2NodGFza3MgL2 0x15946:$s2: L2Mgc2NodGFza3MgL2 0x9916:$s3: QW1zaVNjYW5CdWZmZXI 0x158c5:$s3: QW1zaVNjYW5CdWZmZXI 0x9964:$s4: VmlydHVhbFByb3RlY3Q 0x15913:$s4: VmlydHVhbFByb3RlY3Q
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cce:$q1: Select * from Win32_CacheMemory 0x15c7d:$q1: Select * from Win32_CacheMemory 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x15cbd:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x15d0b:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x15d59:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa146:$s1: DcRatBy 0x160f5:$s1: DcRatBy
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x13c96f:$a1: havecamera 0x14891e:$a1: havecamera 0x9aec:$a2: timeout 3 > NUL 0x13fe60:$a2: timeout 3 > NUL 0x14be0f:$a2: timeout 3 > NUL 0x9b0c:$a3: START "" " 0x13fe80:$a3: START "" " 0x14be2f:$a3: START "" " 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x13fd0b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x14bcba:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x13fdc0:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x14bd6f:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xa146:$str01: DcRatByqwqdanchun 0x1404ba:$str01: DcRatByqwqdanchun 0x14c469:$str01: DcRatByqwqdanchun 0x9a4c:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x13fdc0:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x14bd6f:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x9808:$str03: Po_ng 0x13fb7c:$str03: Po_ng 0x14bb2b:$str03: Po_ng 0x97de:$str04: Pac_ket 0x13fb52:$str04: Pac_ket 0x14bb01:$str04: Pac_ket 0x9eea:$str05: Perfor_mance 0x14025e:$str05: Perfor_mance 0x14c20d:$str05: Perfor_mance 0x9f2e:$str06: Install_ed 0x1402a2:$str06: Install_ed 0x14c251:$str06: Install_ed 0x66dd:$str07: get_IsConnected 0x13ca51:$str07: get_IsConnected 0x148a00:$str07: get_IsConnected
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x13fdc0:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x14bd6f:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x9997:$s2: L2Mgc2NodGFza3MgL2 0x13fd0b:$s2: L2Mgc2NodGFza3MgL2 0x14bcba:$s2: L2Mgc2NodGFza3MgL2 0x9916:$s3: QW1zaVNjYW5CdWZmZXI 0x13fc8a:$s3: QW1zaVNjYW5CdWZmZXI 0x14bc39:$s3: QW1zaVNjYW5CdWZmZXI 0x9964:$s4: VmlydHVhbFByb3RlY3Q 0x13fcd8:$s4: VmlydHVhbFByb3RlY3Q 0x14bc87:$s4: VmlydHVhbFByb3RlY3Q
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cce:$q1: Select * from Win32_CacheMemory 0x140042:$q1: Select * from Win32_CacheMemory 0x14bff1:$q1: Select * from Win32_CacheMemory 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x140082:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x14c031:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x1400d0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x14c07f:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x14011e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x14c0cd:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa146:$s1: DcRatBy 0x1404ba:$s1: DcRatBy 0x14c469:$s1: DcRatBy
Click to see the 37 entries

Suricata Signatures

ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:27:51.948995+0100	2034847	1	Domain Observed Used for C2 Detected	104.245.240.63	35440	192.168.2.16	49858	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:27:51.948995+0100	2842478	1	Malware Command and Control Activity Detected	104.245.240.63	35440	192.168.2.16	49858	TCP

ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:27:51.948995+0100	2848048	1	Domain Observed Used for C2 Detected	104.245.240.63	35440	192.168.2.16	49858	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack

Malware Configuration Extractor: AsyncRAT {"Server": "dcgack.duckdns.org", "Ports": "35440", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "7JTFlu4wpeHr2tvaMGSmxJn38IjIYcfH", "Mutex": "DcRatMutex_qwqdanFrhG", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "iQE9bFuUs//WQsF7+z/n4rGd9y7m/pYT3ctBbSN+BYXijNw7oUBjdcn95lswYvpp0G2rM9Ivnu+MGVEZdpeMP0101eoAinHP6iQHuVW5uZvOTsvGpFnD/49/gyfjZHnk7fapF4HSk/6ReBmhRuig1dkxaBE3Lh1F2YzB4nTcQDU=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Sample uses string decryption to hide its real strings

Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 35440
Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	String decryptor: dcgack.duckdns.org
Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 1.0.7
Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	String decryptor: false
Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DcRatMutex_qwqdanFrhG
Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	String decryptor: MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6
Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	String decryptor: iQE9bFuUs//WQsF7+z/n4rGd9y7m/pYT3ctBbSN+BYXijNw7oUBjdcn95lswYvpp0G2rM9Ivnu+MGVEZdpeMP0101eoAinHP6iQHuVW5uZvOTsvGpFnD/49/gyfjZHnk7fapF4HSk/6ReBmhRuig1dkxaBE3Lh1F2YzB4nTcQDU=
Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	String decryptor: null
Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 06-MARZO

Source: file:///C:/Users/user/Desktop/GGP_DO~1.SVG

HTTP Parser: Base64 decoded: QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQE...

Source: file:///C:/Users/user/Desktop/GGP_DO~1.SVG	HTTP Parser: No favicon
Source: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738c	HTTP Parser: No favicon
Source: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738c	HTTP Parser: No favicon
Source: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738c	HTTP Parser: No favicon
Source: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738c	HTTP Parser: No favicon
Source: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738c	HTTP Parser: No favicon
Source: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738c	HTTP Parser: No favicon
Source: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738c	HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 23.60.203.209:443 -> 192.168.2.16:49715 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 49MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 104.245.240.63:35440 -> 192.168.2.16:49858
Source: Network traffic	Suricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 104.245.240.63:35440 -> 192.168.2.16:49858
Source: Network traffic	Suricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 104.245.240.63:35440 -> 192.168.2.16:49858

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: dcgack.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: dcgack.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.16:49858 -> 104.245.240.63:35440

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.18.3
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.18.3
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738c HTTP/1.1Host: ydray.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/js/main.c13d8b8e.js HTTP/1.1Host: ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738cAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/media/Mona-Sans-Medium.1d13d02c97c2fffe114f.woff2 HTTP/1.1Host: ydray.comConnection: keep-aliveOrigin: https://ydray.comsec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://ydray.com/static/css/main.f94c34bb.cssAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/images/ydray-wordmark-black.svg HTTP/1.1Host: ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738cAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/images/logo1.svg HTTP/1.1Host: ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738cAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /slider/ HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /get/transfer/u17413510193131ZRvY8d6cdee53655oI HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0Accept: /Origin: https://ydray.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /info/ HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0Accept: /Origin: https://ydray.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/media/PRO.1de39d5eba32f217695a.svg HTTP/1.1Host: ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ydray.com/static/css/main.f94c34bb.cssAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /static/media/BUSINESS.5dce83fc7b5907ff2460.svg HTTP/1.1Host: ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ydray.com/static/css/main.f94c34bb.cssAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /layerslider/css/layerslider.css HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /user/ HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0Accept: /Origin: https://ydray.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /assets/images/logo1.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /info/ HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /layerslider/js/jquery.js HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /assets/images/avatar3.svg HTTP/1.1Host: ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738cAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /get/transfer/u17413510193131ZRvY8d6cdee53655oI HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /layerslider/js/layerslider.transitions.js HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /layerslider/js/layerslider.utils.js HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /assets/images/ydray-wordmark-black.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /layerslider/js/layerslider.kreaturamedia.jquery.js HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /assets/images/next_step.svg HTTP/1.1Host: ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738cAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /static/media/FREE.058d687482229be96a55.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /static/media/BUSINESS.5dce83fc7b5907ff2460.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /static/media/PRO.1de39d5eba32f217695a.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /assets/images/folder-file-graphic.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /fileupload/ HTTP/1.1Host: st12.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0Accept: /Origin: https://ydray.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /assets/images/avatar1.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /user/ HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /get/tf/u17413510193131ZRvY8d6cdee53655oI/13868060/eaad5f5907e73c7e5cf574a96df888ba HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /assets/images/avatar2.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /images/34.jpg HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /images/16.jpg HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /assets/images/avatar3.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /assets/images/avatar4.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /assets/images/next_step.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /fileupload/ HTTP/1.1Host: st12.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /get/rf/13868060?yf=d54b54b2ed26ff976b1a36e23f3d6077bcb7f01127532c663f3201e260cba52351e6c275c1cf9d2e96a33467b1680f02080fe536f0d96711e2f75dc95dc6ed12VV6jnSM%2FLGys6Z57zY3UfBUucEMnHwJF9fnkpbj8fVHZ%2FGqbIPCYLYscw%2FO7HuzVqQw0E3C1ttSV%2BglSxqeHW1SwFcYUZN7IV7AiYT98xYMXHwbWsvg54i2mv8SqgOV9TBG1tVg2aLf9XdiScIEDKQ%3D%3D&ff=52efb51845194d5ace3f4780eab91c20e948914128f6db982dc9c5a3b3c7aec963c202a96a87076ffaad649dabaf367a7babba1c49679ba0475a717fa31a4ab9fz6E74H2v2EFwXjPyWNXeGH3Abp4lSUisKaOTnReRVwnJIlTqasoK7sR97z2DQt1jiu4RIsZUm1D4%2FZfQtNPag%3D%3D&t=a183dc9aeaedb6a0223d6686fa4bf0466b73b8b9caabfe71671be47571e36402499dd6459bdd60a69a5c7718a150a39b2aace861b22e476af496a37d2103b875JDjjoCdRCQMoWdKisw9%2F4I4HRr%2Fe7GOmZBeuhb4fxVU%3D HTTP/1.1Host: st12.ydray.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /layerslider/skins/noskin/skin.css HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /images/32.jpg HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /ivt/worklet/caw.js HTTP/1.1Host: ep3.adtrafficquality.googleConnection: keep-aliveAccept: application/javascriptSec-Shared-Storage-Data-Origin: https://ep3.adtrafficquality.googleOrigin: https://ydray.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: sharedstorageworkletUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/48.jpg HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /manifest.json HTTP/1.1Host: ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: manifestReferer: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738cAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /i/ca-pub-7075008344469842?href=https%3A%2F%2Fydray.com%2Fget%2Ft%2Fu17413510193131ZRvY8d6cdee53655oI&ers=2 HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/3.jpg HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /f/AGSKWxU15POZWHQ7dZJFKxq3tUz5E8Zbiyxs1bE3GB7sGGwraoEJ03zRQitfXqH2ke2sAmIm_8NJx-KmqGPKawHlJlFkE5KRnJiLO5wG7yfEeZh6F8_Ulhjj35xGU2vswy9l5tw-npUmIA==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQxMzU3NjAzLDcyOTAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzddXSwiaHR0cHM6Ly95ZHJheS5jb20vZ2V0L3QvdTE3NDEzNTEwMTkzMTMxWlJ2WThkNmNkZWU1MzY1NW9JIixudWxsLFtbOCwieUptYUpkc085LVEiXSxbOSwiZW4tVVMiXSxbMTksIjIiXSxbMTcsIlswXSJdLFsyNCwiIl1dXQ HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /f/AGSKWxVYcQ5QX1rb2a0S55psUzZPxHaEy2gn9xcQPxX_fnqO0ZhVeEFLtNrEMYGt2XqGyNGyCKiRVKmC-x7oQjax0mcHuyNCHz21u9CSOmHZlKZf1pb1YULlQe4Kjw89N19EsJliI2DMKQ==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQxMzU3NjA2LDc4ODAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzcsOV0sbnVsbCwyLG51bGwsImVuIl0sImh0dHBzOi8veWRyYXkuY29tL2dldC90L3UxNzQxMzUxMDE5MzEzMVpSdlk4ZDZjZGVlNTM2NTVvSSIsbnVsbCxbWzgsInlKbWFKZHNPOS1RIl0sWzksImVuLVVTIl0sWzE5LCIyIl0sWzE3LCJbMF0iXSxbMjQsIiJdXV0 HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /getconfig/sodar?sv=200&tid=gda&tv=r20250305&st=env HTTP/1.1Host: ep1.adtrafficquality.googleConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Origin: https://ydray.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.svg HTTP/1.1Host: ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ydray.com/get/t/u17413510193131ZRvY8d6cdee53655oI?id=ceb1c4a5-f3ce-49dd-8fda-3d110e84738cAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /favicon.svg HTTP/1.1Host: ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12
Source: global traffic	HTTP traffic detected: GET /getconfig/sodar?sv=200&tid=gda&tv=r20250305&st=env HTTP/1.1Host: ep1.adtrafficquality.googleConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /f/AGSKWxU0f7DrgSp1aPm4p4v4NA-zBcHsTM-oF7478YXmKaYK1Dmj4GgC9hZAZf11w20ZMvaUGSHwkPKIzukOdB7k5gGrLrcU8xSVnsBq8MU5wDUl1MGuGcjrkN0MgBbjoeUmX2bMjL6XsD896EmfLahuu2iDalMM-4nLEChrhDxeAJdEXTnpPuilezo-LeY1/__banner_ad./adiframeanchor./kitad./cpmbanner./adblock.ash HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sodar/sodar2.js HTTP/1.1Host: ep2.adtrafficquality.googleConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/aframe HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Browser-Channel: stableX-Browser-Year: 2025X-Browser-Validation: wTKGXmLo+sPWz1JKKbFzUyHly1Q=X-Browser-Copyright: Copyright 2025 Google LLC. All rights reserved.X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sodar/sodar2/232/runner.html HTTP/1.1Host: ep2.adtrafficquality.googleConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /f/AGSKWxWWeqZX_9UKUxJ7-FA6eOYGQ_x63thXyFjyUMzWCEaUYQtS5cyX_1wCfziYEUs3IA6JxYctzMHBNVXXXA05g7qnCgVh6JQG-xvgi2pHBdveqdCwXg37W3zo0o0B3_l8Xk5plc9PSw==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQxMzU3NjE1LDg1OTAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzcsOSw2XSxudWxsLDIsbnVsbCwiZW4iLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCwxXSwiaHR0cHM6Ly95ZHJheS5jb20vZ2V0L3QvdTE3NDEzNTEwMTkzMTMxWlJ2WThkNmNkZWU1MzY1NW9JIixudWxsLFtbOCwieUptYUpkc085LVEiXSxbOSwiZW4tVVMiXSxbMTksIjIiXSxbMTcsIlswXSJdLFsyNCwiIl1dXQ HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /slider/ HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /get/transfer/u17413510193131ZRvY8d6cdee53655oI HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0Accept: /Origin: https://ydray.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /info/ HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0Accept: /Origin: https://ydray.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /i/ca-pub-7075008344469842?href=https%3A%2F%2Fydray.com%2Fget%2Ft%2Fu17413510193131ZRvY8d6cdee53655oI&ers=2 HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /get/transfer/u17413510193131ZRvY8d6cdee53655oI HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /user/ HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0Accept: /Origin: https://ydray.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /layerslider/skins/noskin/skin.png HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://api.ydray.com/layerslider/skins/noskin/skin.cssAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /info/ HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /layerslider/skins/noskin/loading.gif HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://api.ydray.com/layerslider/skins/noskin/skin.cssAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /images/84.jpg HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /images/90.jpg HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /images/21.jpg HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /fileupload/ HTTP/1.1Host: st12.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencodedsec-ch-ua-mobile: ?0Accept: /Origin: https://ydray.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /user/ HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /images/4.jpg HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /layerslider/skins/noskin/skin.png HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /images/26.jpg HTTP/1.1Host: api.ydray.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://api.ydray.com/slider/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /layerslider/skins/noskin/loading.gif HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /images/84.jpg HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /images/90.jpg HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /f/AGSKWxXM2GHfLHkF0VhhQjnwFOgx_5t7bTzukx9FaZD9kndOCjWn-4Dia7tDFNJn52gVPIZBPwO0KbWTgn3POTCNsYbKIhdravtXHbMpIT76jKjrsoro4gkHOJ8bIU7Q_zUirxJSJa4GWg==?fccs=W1siQUtzUm9sOVRXUG1XOWxCdmpsdEowSXNPNDhOdncwSWJqYVQ4U19lUFlYQjNDaEpid0VCLXF4c1I5b04xRTRESkZBdllBbnRQLTNmZmpuWGEwU0VrZkl5bzZUd3Q3Z0ZHM1pIQVhPaUhVeUNCZmFELXVsMGI2eGdJMm1TWDJmRXVFS0tPOFdwVHhuQVBmZUkwTHR3MVdoRm05dmZPLWZ1Q093PT0iXSxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsWzE3NDEzNTc2MzcsODE2MDAwMDAwXSxudWxsLG51bGwsbnVsbCxbbnVsbCxbN11dLCJodHRwczovL3lkcmF5LmNvbS9nZXQvdC91MTc0MTM1MTAxOTMxMzFaUnZZOGQ2Y2RlZTUzNjU1b0kiLG51bGwsW1s4LCJ5Sm1hSmRzTzktUSJdLFs5LCJlbi1VUyJdLFsxOSwiMiJdLFsxNywiWzBdIl0sWzI0LCIiXV1d HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/21.jpg HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /fileupload/ HTTP/1.1Host: st12.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /images/4.jpg HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D
Source: global traffic	HTTP traffic detected: GET /images/26.jpg HTTP/1.1Host: api.ydray.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: ydray=vn6egkc0ttfu7p8v37a4p0c75epknpnu; st_ydy=yvn6egkc0ttfu7p8v37a4p0c75epknpnu.4722620136.30c03a463a8d484ed947d1ee2baf203b; st_hmac=55119b3d31ccfb97af4e0be5f5862c1c8f94b2f9e4dfdd391fb3fd26819f1a75; country=US; st=12; FCNEC=%5B%5B%22AKsRol9TWPmW9lBvjltJ0IsO48Nvw0IbjaT8S_ePYXB3ChJbwEB-qxsR9oN1E4DJFAvYAntP-3ffjnXa0SEkfIyo6Twt7gFG3ZHAXOiHUyCBfaD-ul0b6xgI2mSX2fEuEKKO8WpTxnAPfeI0Ltw1WhFm9vfO-fuCOw%3D%3D%22%5D%5D

Source: chromecache_126.1.dr	String found in binary or memory: href="https://www.linkedin.com/showcase/googlemarketingplatform" equals www.linkedin.com (Linkedin)
Source: chromecache_126.1.dr	String found in binary or memory: href="https://www.youtube.com/c/googlemarketingplatform" equals www.youtube.com (Youtube)
Source: chromecache_126.1.dr	String found in binary or memory: <script type="application/ld+json" nonce="zlYH0KsNNHQVhjg6BSmV-Q">{"@context": "http://schema.org","@type": "Webpage","name": "Enterprise","description": "Google Marketing Platform offers an enterprise analytics solution to gain insights into your advertising, marketing, customers, and sales.","url": "https://marketingplatform.google.com/about/enterprise/","@id": "https://marketingplatform.google.com/about/enterprise/#webpage","inLanguage": "English","headline": "Meaningful insights.<br>Smarter marketing.<br>Better results.","image": {"@type": "ImageObject","url": "https://lh3.googleusercontent.com/XjulzUQfPsVZjAC6DJrlVtyGdUQKM8_6sI0SAcqopIqEn18pOQ0BzWWrXZ5W6FoAx27IzI0AoLXmik0KlCEOr_27jhEfxbiNUp4k","isFamilyFriendly":"yes"},"publisher": {"@type": "Organization","url": "https://www.google.com/","@id": "https://www.google.com/#organization","logo": "https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png","sameAs": ["https://twitter.com/Google", "https://www.instagram.com/google/", "https://www.facebook.com/Google/", "https://www.youtube.com/user/Google", "https://www.linkedin.com/company/google", "https://www.wikidata.org/wiki/Q95", "https://en.wikipedia.org/wiki/Google"]},"copyrightHolder": {"@type": "Organization","name": "Google","url": "https://www.google.com/","@id": "https://www.google.com/#organization","logo": "https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png","sameAs": ["https://twitter.com/Google", "https://www.instagram.com/google/", "https://www.facebook.com/Google/", "https://www.youtube.com/user/Google", "https://www.linkedin.com/company/google", "https://www.wikidata.org/wiki/Q95", "https://en.wikipedia.org/wiki/Google"]},"breadcrumb": {"@type": "BreadcrumbList","itemListElement": [{"@type": "ListItem","position":"1","item": {"@id": "https://marketingplatform.google.com/about/","name": "Google Marketing Platform"}},{"@type": "ListItem","position":"2","item": {"@id": " https://marketingplatform.google.com/about/enterprise/","name": "Enterprise"}}]}}</script><!-- Open graph for facebook --> equals www.facebook.com (Facebook)
Source: chromecache_126.1.dr	String found in binary or memory: <script type="application/ld+json" nonce="zlYH0KsNNHQVhjg6BSmV-Q">{"@context": "http://schema.org","@type": "Webpage","name": "Enterprise","description": "Google Marketing Platform offers an enterprise analytics solution to gain insights into your advertising, marketing, customers, and sales.","url": "https://marketingplatform.google.com/about/enterprise/","@id": "https://marketingplatform.google.com/about/enterprise/#webpage","inLanguage": "English","headline": "Meaningful insights.<br>Smarter marketing.<br>Better results.","image": {"@type": "ImageObject","url": "https://lh3.googleusercontent.com/XjulzUQfPsVZjAC6DJrlVtyGdUQKM8_6sI0SAcqopIqEn18pOQ0BzWWrXZ5W6FoAx27IzI0AoLXmik0KlCEOr_27jhEfxbiNUp4k","isFamilyFriendly":"yes"},"publisher": {"@type": "Organization","url": "https://www.google.com/","@id": "https://www.google.com/#organization","logo": "https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png","sameAs": ["https://twitter.com/Google", "https://www.instagram.com/google/", "https://www.facebook.com/Google/", "https://www.youtube.com/user/Google", "https://www.linkedin.com/company/google", "https://www.wikidata.org/wiki/Q95", "https://en.wikipedia.org/wiki/Google"]},"copyrightHolder": {"@type": "Organization","name": "Google","url": "https://www.google.com/","@id": "https://www.google.com/#organization","logo": "https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png","sameAs": ["https://twitter.com/Google", "https://www.instagram.com/google/", "https://www.facebook.com/Google/", "https://www.youtube.com/user/Google", "https://www.linkedin.com/company/google", "https://www.wikidata.org/wiki/Q95", "https://en.wikipedia.org/wiki/Google"]},"breadcrumb": {"@type": "BreadcrumbList","itemListElement": [{"@type": "ListItem","position":"1","item": {"@id": "https://marketingplatform.google.com/about/","name": "Google Marketing Platform"}},{"@type": "ListItem","position":"2","item": {"@id": " https://marketingplatform.google.com/about/enterprise/","name": "Enterprise"}}]}}</script><!-- Open graph for facebook --> equals www.linkedin.com (Linkedin)
Source: chromecache_126.1.dr	String found in binary or memory: <script type="application/ld+json" nonce="zlYH0KsNNHQVhjg6BSmV-Q">{"@context": "http://schema.org","@type": "Webpage","name": "Enterprise","description": "Google Marketing Platform offers an enterprise analytics solution to gain insights into your advertising, marketing, customers, and sales.","url": "https://marketingplatform.google.com/about/enterprise/","@id": "https://marketingplatform.google.com/about/enterprise/#webpage","inLanguage": "English","headline": "Meaningful insights.<br>Smarter marketing.<br>Better results.","image": {"@type": "ImageObject","url": "https://lh3.googleusercontent.com/XjulzUQfPsVZjAC6DJrlVtyGdUQKM8_6sI0SAcqopIqEn18pOQ0BzWWrXZ5W6FoAx27IzI0AoLXmik0KlCEOr_27jhEfxbiNUp4k","isFamilyFriendly":"yes"},"publisher": {"@type": "Organization","url": "https://www.google.com/","@id": "https://www.google.com/#organization","logo": "https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png","sameAs": ["https://twitter.com/Google", "https://www.instagram.com/google/", "https://www.facebook.com/Google/", "https://www.youtube.com/user/Google", "https://www.linkedin.com/company/google", "https://www.wikidata.org/wiki/Q95", "https://en.wikipedia.org/wiki/Google"]},"copyrightHolder": {"@type": "Organization","name": "Google","url": "https://www.google.com/","@id": "https://www.google.com/#organization","logo": "https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png","sameAs": ["https://twitter.com/Google", "https://www.instagram.com/google/", "https://www.facebook.com/Google/", "https://www.youtube.com/user/Google", "https://www.linkedin.com/company/google", "https://www.wikidata.org/wiki/Q95", "https://en.wikipedia.org/wiki/Google"]},"breadcrumb": {"@type": "BreadcrumbList","itemListElement": [{"@type": "ListItem","position":"1","item": {"@id": "https://marketingplatform.google.com/about/","name": "Google Marketing Platform"}},{"@type": "ListItem","position":"2","item": {"@id": " https://marketingplatform.google.com/about/enterprise/","name": "Enterprise"}}]}}</script><!-- Open graph for facebook --> equals www.twitter.com (Twitter)
Source: chromecache_126.1.dr	String found in binary or memory: <script type="application/ld+json" nonce="zlYH0KsNNHQVhjg6BSmV-Q">{"@context": "http://schema.org","@type": "Webpage","name": "Enterprise","description": "Google Marketing Platform offers an enterprise analytics solution to gain insights into your advertising, marketing, customers, and sales.","url": "https://marketingplatform.google.com/about/enterprise/","@id": "https://marketingplatform.google.com/about/enterprise/#webpage","inLanguage": "English","headline": "Meaningful insights.<br>Smarter marketing.<br>Better results.","image": {"@type": "ImageObject","url": "https://lh3.googleusercontent.com/XjulzUQfPsVZjAC6DJrlVtyGdUQKM8_6sI0SAcqopIqEn18pOQ0BzWWrXZ5W6FoAx27IzI0AoLXmik0KlCEOr_27jhEfxbiNUp4k","isFamilyFriendly":"yes"},"publisher": {"@type": "Organization","url": "https://www.google.com/","@id": "https://www.google.com/#organization","logo": "https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png","sameAs": ["https://twitter.com/Google", "https://www.instagram.com/google/", "https://www.facebook.com/Google/", "https://www.youtube.com/user/Google", "https://www.linkedin.com/company/google", "https://www.wikidata.org/wiki/Q95", "https://en.wikipedia.org/wiki/Google"]},"copyrightHolder": {"@type": "Organization","name": "Google","url": "https://www.google.com/","@id": "https://www.google.com/#organization","logo": "https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png","sameAs": ["https://twitter.com/Google", "https://www.instagram.com/google/", "https://www.facebook.com/Google/", "https://www.youtube.com/user/Google", "https://www.linkedin.com/company/google", "https://www.wikidata.org/wiki/Q95", "https://en.wikipedia.org/wiki/Google"]},"breadcrumb": {"@type": "BreadcrumbList","itemListElement": [{"@type": "ListItem","position":"1","item": {"@id": "https://marketingplatform.google.com/about/","name": "Google Marketing Platform"}},{"@type": "ListItem","position":"2","item": {"@id": " https://marketingplatform.google.com/about/enterprise/","name": "Enterprise"}}]}}</script><!-- Open graph for facebook --> equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ydray.com
Source: global traffic	DNS traffic detected: DNS query: googleads.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: api.ydray.com
Source: global traffic	DNS traffic detected: DNS query: www3.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: marketingplatform.google.com
Source: global traffic	DNS traffic detected: DNS query: st12.ydray.com
Source: global traffic	DNS traffic detected: DNS query: ep3.adtrafficquality.google
Source: global traffic	DNS traffic detected: DNS query: fundingchoicesmessages.google.com
Source: global traffic	DNS traffic detected: DNS query: ep1.adtrafficquality.google
Source: global traffic	DNS traffic detected: DNS query: ep2.adtrafficquality.google
Source: global traffic	DNS traffic detected: DNS query: beacons.gcp.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: dcgack.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: beacons2.gvt2.com

Source: unknown

HTTP traffic detected: POST /el/AGSKWxXkyowuWEJ2J5zVN-XUmNah5lvblATvuf0-cSvqhYmAMq1wbK1PXaDTroX9zfP1oDvH4D2ioow4VGgGnhou8bA2vR1EoD7kgAdqQxLBTQ9RzZ6RLXECMW5EdRX6NPmuUfaYvz--9g== HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-aliveContent-Length: 155sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: text/plainsec-ch-ua-mobile: ?0Accept: */*Origin: https://ydray.comX-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ydray.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: InstallUtil.exe, 00000010.00000002.2348737511.000000000149E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: InstallUtil.exe, 00000010.00000002.2348737511.000000000149E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2348737511.000000000142E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.16.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: chromecache_109.1.dr	String found in binary or memory: http://google.com
Source: chromecache_109.1.dr	String found in binary or memory: http://googleads.g.doubleclick.net
Source: chromecache_109.1.dr	String found in binary or memory: http://mathiasbynens.be/
Source: chromecache_109.1.dr	String found in binary or memory: http://pagead2.googlesyndication.com
Source: chromecache_126.1.dr	String found in binary or memory: http://schema.org
Source: InstallUtil.exe, 00000010.00000002.2349982723.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://scripts.sil.org/OFL).
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://scripts.sil.org/OFL).http://www.typoland.com/designers/Lukasz_Dziedzic/http://www.typoland.co
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://scripts.sil.org/OFLCopyright
Source: chromecache_140.1.dr	String found in binary or memory: http://www.broofa.com
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.typoland.com/)
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.typoland.com/designers/Lukasz_Dziedzic/http://www.typoland.com/Lato
Source: chromecache_126.1.dr	String found in binary or memory: https://about.google/
Source: chromecache_126.1.dr	String found in binary or memory: https://about.google/commitments/racialequity/
Source: chromecache_126.1.dr	String found in binary or memory: https://about.google/products/
Source: chromecache_126.1.dr	String found in binary or memory: https://admanager.google.com/home/
Source: chromecache_126.1.dr	String found in binary or memory: https://ads.google.com/home/?utm_source=marketingplatform.google.com&utm_medium=et&utm_campaign=mark
Source: chromecache_126.1.dr	String found in binary or memory: https://adsense.google.com/start/?subid=ww-en-et-ads-ot-a-marketing_platform
Source: chromecache_126.1.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/angularjs/1.6.6/angular-animate.min.js
Source: chromecache_126.1.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/angularjs/1.6.6/angular-touch.min.js
Source: chromecache_126.1.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/angularjs/1.6.6/angular.min.js
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp, 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2196441752.00007FFFDB68C000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp, 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2196441752.00007FFFDB68C000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2196441752.00007FFFDB68C000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityx
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: chromecache_126.1.dr	String found in binary or memory: https://analytics.google.com/analytics/academy/?utm_source=marketingplatform.google.com&utm_medium=e
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/images/21.jpg
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/images/26.jpg
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/images/4.jpg
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/images/84.jpg
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/images/90.jpg
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/layerslider/css/layerslider.css
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/layerslider/js/jquery.js
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/layerslider/js/layerslider.kreaturamedia.jquery.js
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/layerslider/js/layerslider.transitions.js
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/layerslider/js/layerslider.utils.js
Source: chromecache_151.1.dr	String found in binary or memory: https://api.ydray.com/layerslider/skins/
Source: chromecache_109.1.dr	String found in binary or memory: https://cdn.ampproject.org/amp4ads-host-v0.js
Source: chromecache_109.1.dr	String found in binary or memory: https://cdn.ampproject.org/rtv/$
Source: chromecache_126.1.dr	String found in binary or memory: https://cloud.google.com/?utm_source=marketingplatform.google.com&utm_medium=et&utm_campaign=marketi
Source: chromecache_109.1.dr	String found in binary or memory: https://cse.google.com/cse.js
Source: chromecache_140.1.dr	String found in binary or memory: https://developers.google.com/ad-placement
Source: chromecache_126.1.dr	String found in binary or memory: https://developers.google.com/ads-data-hub
Source: chromecache_126.1.dr	String found in binary or memory: https://developers.google.com/analytics/?utm_source=marketingplatform.google.com&utm_medium=et&utm_c
Source: chromecache_126.1.dr	String found in binary or memory: https://developers.google.com/doubleclick-advertisers/?utm_source=marketingplatform.google.com&utm_m
Source: chromecache_126.1.dr	String found in binary or memory: https://developers.google.com/tag-manager/?utm_source=marketingplatform.google.com&utm_medium=et&utm
Source: chromecache_115.1.dr, chromecache_169.1.dr	String found in binary or memory: https://ep1.adtrafficquality.google/bg/
Source: chromecache_109.1.dr	String found in binary or memory: https://ep1.adtrafficquality.google/getconfig/sodar
Source: chromecache_169.1.dr	String found in binary or memory: https://ep1.adtrafficquality.google/pagead/gen_204?id=sodar2&v=231
Source: chromecache_115.1.dr	String found in binary or memory: https://ep1.adtrafficquality.google/pagead/gen_204?id=sodar2&v=232
Source: chromecache_169.1.dr	String found in binary or memory: https://ep1.adtrafficquality.google/pagead/sodar?id=sodar2&v=231
Source: chromecache_115.1.dr	String found in binary or memory: https://ep1.adtrafficquality.google/pagead/sodar?id=sodar2&v=232
Source: chromecache_115.1.dr	String found in binary or memory: https://ep2.adtrafficquality.google
Source: chromecache_115.1.dr	String found in binary or memory: https://ep2.adtrafficquality.google/sodar/
Source: chromecache_109.1.dr	String found in binary or memory: https://ep2.adtrafficquality.google/sodar/$
Source: chromecache_180.1.dr, chromecache_109.1.dr	String found in binary or memory: https://ep3.adtrafficquality.google/ivt/worklet/caw.js
Source: chromecache_126.1.dr	String found in binary or memory: https://firebase.google.com/?utm_source=marketingplatform.google.com&utm_medium=et&utm_campaign=mark
Source: chromecache_109.1.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Google
Source: chromecache_109.1.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: chromecache_126.1.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:100
Source: chromecache_109.1.dr	String found in binary or memory: https://fundingchoicesmessages.google.com/i/$
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://github.com/QuestPDF/library.git0DynamicProxyGenAssembly2
Source: chromecache_180.1.dr	String found in binary or memory: https://github.com/google/safevalues/issues
Source: chromecache_109.1.dr	String found in binary or memory: https://googleads.g.doubleclick.net
Source: chromecache_109.1.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/$
Source: chromecache_186.1.dr, chromecache_136.1.dr, chromecache_177.1.dr, chromecache_123.1.dr	String found in binary or memory: https://layerslider.com/
Source: chromecache_186.1.dr, chromecache_136.1.dr, chromecache_177.1.dr, chromecache_123.1.dr	String found in binary or memory: https://layerslider.com/licensing/
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/0Q6D6O_H1ln-2XsHxasKU98MASf2MLcp6b0YJcH7L_6jULLHCTh3-WhICIlKXbpr-D
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/4wKdcCWNhhdCSoEVMCTzXPiD1J0FYAfAEHVfqhAzWGBE1CNhPGWOaO6lzpsai7u3bH
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/5Yi9pUyi0xjbfbdG2p4kyVsYGlDWYrbQUlaLXLAiUlmRB9I3myFxlFusUi29QGev9g
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/9Ukdk5mlaSxOFDc98fBBHg0zz_mMebexFn8WtVRRS8QqsyGzLlvL2SCoY-CAyyXY0p
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/BfyS-j_OOTMqkt4eomWru4C8MOdli_YtSaXpmkI-qdjd6cAF1Po5s5CxF6i_iFSYfh
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/DJ26GEBH94yMQ3dofeAy0GTxU1JeuRSVQvfd9cxkfD4h-Yj8hpMMXKsgbToA49zQiJ
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/DgLaFV6_tiByMcu1ZzxH0AbKPc8_YTveTUBJHm7dKS3lsSNbA9dWibqtXp7TJHLkpl
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/DmpK8ugt7esqJ4s8hDBJRCeW_dVp40duUXRr-V4Yxvvon2ZxL-jM2Ukjyk834RQcHm
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/IaZ7OWBb5-6tf44cedpONxZuteHjRvHH8sDgPaCEGBYmD9fYII42iaUIcDUKA1DGa6
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/J1lW_pPLg0dOdxjYZ7eK61Q-Tgc0yUc0Ssp2Kdde9KHjl7iFptnFes6xVADOkzyYsn
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/LCXHdwCVFUVKVceZ7Ebxe5MnjHhCOrM5Tc1sUYiHSeF80cAZejxwYs_JoRRCDwZG4M
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/M3BEUZgVVGIo4Y9o1YaEaurfGUy3aquf87fXzlo5UnZC-iLOAQ-N1ho9u9Ywx-4Tmj
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/McJV-U6w665Cr7SFm8uBmRog_9DPfbCdntR4aK0tL2wjaXrKc0EsUT649iJOlZfVAA
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/T0P6stldNdtTJ9yCbmfQI3mgyERiFmiILsGPq2o-rbmsCCBUwGkqBZW94qiD-ldjJY
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/T0t-NlSp0OzDa4gqQgUcftzEXmWnhR6RfUDWq-8z9P_mCn9xkxqCSbsD5UiogxeoTo
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/TjCG9F-cHmWkQ9ZYIbHGWAJueckyNudq-tj6--z5E-gBYQtplStcE9dBBRXLYdWjbe
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/ToOoAIQwJV9q573oHPf0rmIGzxrYnExPpSlCMvlTtpZYddSDWUb4BS5w4vR_LoUSiQ
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/Xde_feRXsipCVqfFr7i0xr1K_OlsP_h7tfxcp3Xj0EZj78gF77vF4Lcj01B4S14zO5
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/XjulzUQfPsVZjAC6DJrlVtyGdUQKM8_6sI0SAcqopIqEn18pOQ0BzWWrXZ5W6FoAx2
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/XvcIkb0Lqs86H9rq4wocG56dgQmp7EFyIC18o1gJiMnxUJBkj7YyxUGViLIDPtB_KN
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/eBgXEvVz_cqaqw5ZZRjWndAKwLuWlFXuf9CW0NHHMgK3BY5TCrI2AE1tsq20ZeXM55
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/g1VeY9p01k-fMeY0yTPigiPXx09HBHtcK6SfGLrX_GVk1UO9zik80izCL5yecuKJqK
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/jZDSgvByFEvqdDnQR1gtUN1f86-ZbMJKLtlUshMU1Qk0c_Dzb3-NjxX-F1ZvGnEx_7
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/nJzFtXRNnCoIZXs6_v7xgf0Nz6l1X-0bKmGaJz0KTY3ovil-DDcimGKPyhkoEEONab
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/rIhH9x08DxI4YdYl9hB-MmC4e1MFaovevyo98RHu3ryszkuwXCkSYxgKD2-8btnf4x
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/secXuOC5WcxmNqaaKKhyAEU1GiiW8kg5Eh1SB-8jrhyrVLb_VWA0NIgNlwKhtaW8y9
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/uu1BWN2_yiSe1Ciw4nsEQ2gTDIzIOpTATkeVuPLijgZvHQxmJcjfF1RQJNmgb7VaJ_
Source: chromecache_126.1.dr	String found in binary or memory: https://lh3.googleusercontent.com/wrHKPwn_RKCusdpmICnKeZoYVzfup5x3e6UFj58iVzEymAnru1XWjhrl2mFu5eLJ8X
Source: chromecache_126.1.dr	String found in binary or memory: https://marketingplatform.google.com/about/enterprise/
Source: chromecache_126.1.dr	String found in binary or memory: https://marketingplatform.google.com/about/enterprise/#webpage
Source: chromecache_126.1.dr	String found in binary or memory: https://marketingplatform.google.com/home?openIntegrationCenter=true&utm_source=marketingplatfor
Source: chromecache_109.1.dr, chromecache_140.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com
Source: chromecache_115.1.dr, chromecache_169.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/bg/
Source: chromecache_109.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/getconfig/sodar
Source: chromecache_140.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=rcs_internal
Source: chromecache_169.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=sodar2&v=231
Source: chromecache_115.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=sodar2&v=232
Source: chromecache_109.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/html/$
Source: chromecache_109.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/$
Source: chromecache_109.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Source: chromecache_109.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=
Source: chromecache_163.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-7075008344469842
Source: chromecache_109.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/err_rep.js
Source: chromecache_109.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/logging_library.js
Source: chromecache_109.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/managed/js/adsense/$
Source: chromecache_109.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/ping
Source: chromecache_109.1.dr, chromecache_140.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/ping?e=1
Source: chromecache_127.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/sodar?
Source: chromecache_169.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/sodar?id=sodar2&v=231
Source: chromecache_115.1.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/sodar?id=sodar2&v=232
Source: chromecache_180.1.dr, chromecache_109.1.dr	String found in binary or memory: https://securepubads.g.doubleclick.net/pagead/js/car.js
Source: chromecache_180.1.dr, chromecache_109.1.dr	String found in binary or memory: https://securepubads.g.doubleclick.net/pagead/js/cocar.js
Source: chromecache_109.1.dr	String found in binary or memory: https://securepubads.g.doubleclick.net/static/topics/topics_frame.html
Source: chromecache_126.1.dr	String found in binary or memory: https://signup.withgoogle.com/newsletter/marketingplatform/
Source: chromecache_126.1.dr	String found in binary or memory: https://skillshop.withgoogle.com/
Source: chromecache_126.1.dr	String found in binary or memory: https://support.google.com/marketingplatform
Source: chromecache_115.1.dr	String found in binary or memory: https://tpc.googlesyndication.com
Source: chromecache_115.1.dr	String found in binary or memory: https://tpc.googlesyndication.com/sodar/
Source: chromecache_109.1.dr	String found in binary or memory: https://tpc.googlesyndication.com/sodar/$
Source: chromecache_126.1.dr	String found in binary or memory: https://twitter.com/GMktgPlatform
Source: chromecache_126.1.dr	String found in binary or memory: https://twitter.com/Google
Source: chromecache_126.1.dr	String found in binary or memory: https://workspace.google.com/?utm_source=marketingplatform.google.com&utm_medium=et&utm_campaign=mar
Source: chromecache_126.1.dr	String found in binary or memory: https://www.blog.google/products/marketingplatform/
Source: chromecache_115.1.dr, chromecache_126.1.dr	String found in binary or memory: https://www.google.com
Source: chromecache_126.1.dr	String found in binary or memory: https://www.google.com/
Source: chromecache_126.1.dr	String found in binary or memory: https://www.google.com/#organization
Source: chromecache_109.1.dr	String found in binary or memory: https://www.google.com/adsense/search/async-ads.js
Source: chromecache_126.1.dr	String found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
Source: chromecache_126.1.dr	String found in binary or memory: https://www.google.com/intl/en/policies/privacy/
Source: chromecache_126.1.dr	String found in binary or memory: https://www.google.com/intl/en/policies/terms/
Source: chromecache_109.1.dr, chromecache_115.1.dr, chromecache_169.1.dr	String found in binary or memory: https://www.google.com/recaptcha/api2/aframe
Source: chromecache_109.1.dr	String found in binary or memory: https://www.google.com/s2/favicons?sz=64&domain_url=
Source: chromecache_126.1.dr	String found in binary or memory: https://www.google.com/services/?utm_source=marketingplatform.google.com&utm_medium=et&utm_campaign=
Source: chromecache_126.1.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: chromecache_126.1.dr	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-MPHTW35
Source: chromecache_109.1.dr	String found in binary or memory: https://www.gstatic.com
Source: chromecache_126.1.dr	String found in binary or memory: https://www.gstatic.com/glue/cookienotificationbar/cookienotificationbar.min.css
Source: chromecache_126.1.dr	String found in binary or memory: https://www.gstatic.com/glue/cookienotificationbar/cookienotificationbar.min.js
Source: chromecache_126.1.dr	String found in binary or memory: https://www.gstatic.com/images/branding/googleg/2x/googleg_standard_color_192dp.png
Source: chromecache_126.1.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/ico/googleg_alldp.ico
Source: chromecache_126.1.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/ico/googleg_standard_16dp.ico
Source: chromecache_126.1.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/ico/googleg_standard_32dp.ico
Source: chromecache_109.1.dr	String found in binary or memory: https://www.gstatic.com/prose/protected/$
Source: chromecache_126.1.dr	String found in binary or memory: https://www.instagram.com/google/
Source: chromecache_126.1.dr	String found in binary or memory: https://www.linkedin.com/showcase/googlemarketingplatform
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp, 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2196441752.00007FFFDB68C000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.questpdf.com/license-configuration.html
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp, 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2196441752.00007FFFDB68C000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.questpdf.com/pricing.html)
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.questpdf.com/pricing.htmlY
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2196441752.00007FFFDB68C000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.questpdf.com/pricing.htmlx
Source: chromecache_126.1.dr	String found in binary or memory: https://www.thinkwithgoogle.com/?utm_source=marketingplatform.google.com&utm_medium=et&utm_campaign=
Source: chromecache_126.1.dr	String found in binary or memory: https://www.yourprimer.com/?utm_source=marketingplatform.google.com&utm_medium=et&utm_campaign=marke
Source: chromecache_126.1.dr	String found in binary or memory: https://www.youtube.com/c/googlemarketingplatform

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown

HTTPS traffic detected: 23.60.203.209:443 -> 192.168.2.16:49715 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1DOC-PROCESO-PDF.exe PID: 3544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3208, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000010.00000002.2349982723.000000000333D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000010.00000002.2348737511.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000010.00000002.2349982723.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: 1DOC-PROCESO-PDF.exe PID: 3544, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 3208, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\YDRAY-1DOC-PROCESO-REF5-2401GH0147-DOC-0123.zip (copy)

Jump to dropped file

Drops password protected ZIP file

Source: YDRAY-1DOC-PROCESO-REF5-2401GH0147-DOC-0123.zip.crdownload.0.dr	Zip Entry: encrypted
Source: chromecache_154.1.dr	Zip Entry: encrypted

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir6800_1399046521

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir6800_1399046521

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_015DA5D0	16_2_015DA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_015DEA90	16_2_015DEA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_015D9D00	16_2_015D9D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_015D99B8	16_2_015D99B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 16_2_05E107D8	16_2_05E107D8

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000010.00000002.2349982723.000000000333D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000010.00000002.2348737511.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000010.00000002.2349982723.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: 1DOC-PROCESO-PDF.exe PID: 3544, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: InstallUtil.exe PID: 3208, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, Settings.cs	Base64 encoded string: 'yVQkdD30EJaSsep5amR299n7bRng91vK3AJPDwvdf3dc7OLaJQGfpA086VTs1csmpTJbJ7FwuLsVk2Bb7IQpbw==', 'RVpjLLfLT2CrHxW9IBhYkETDl7nCXzQMvMW2vWHlzA3nDB+p/v2ek9jX1J41GCyQDOJq8ecYx1v0i42RF/ErMzbPYq2FGGk7uQlN/yReHvs=', '+6S/baAI1Bu5SAQ7UyLo1Rg2K1749gBskCnAd9pwS14YuLocmyT3WApDgVGJZvl2in5TiSkA/XB2bxqkwnRStg==', 'vWJ8qvJn3ashQTlu8Gfw1OOWS8NED2vKDiYlDe1fZEfGMjjFtSoRDVxWFL8bmsSbto2CToStwkgo8q8iyiUO7w==', 'LzKpZyT8mU+8rq6ikSD+3r8ggezxyL1If/URdRhl30qXfB3vP+Y7cUHfQQ7UwdeOXodproW1+6btzr2sZybhgQ==', 'v1J1ATUmkYv9aSMUHUoEuguDFFgQ4Qy57DWoMfA4wfCfUbiGoWlgSAsc0jvgdtFCOBGMBPi3k82FBKqblVW54g=='
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, Settings.cs	Base64 encoded string: 'yVQkdD30EJaSsep5amR299n7bRng91vK3AJPDwvdf3dc7OLaJQGfpA086VTs1csmpTJbJ7FwuLsVk2Bb7IQpbw==', 'RVpjLLfLT2CrHxW9IBhYkETDl7nCXzQMvMW2vWHlzA3nDB+p/v2ek9jX1J41GCyQDOJq8ecYx1v0i42RF/ErMzbPYq2FGGk7uQlN/yReHvs=', '+6S/baAI1Bu5SAQ7UyLo1Rg2K1749gBskCnAd9pwS14YuLocmyT3WApDgVGJZvl2in5TiSkA/XB2bxqkwnRStg==', 'vWJ8qvJn3ashQTlu8Gfw1OOWS8NED2vKDiYlDe1fZEfGMjjFtSoRDVxWFL8bmsSbto2CToStwkgo8q8iyiUO7w==', 'LzKpZyT8mU+8rq6ikSD+3r8ggezxyL1If/URdRhl30qXfB3vP+Y7cUHfQQ7UwdeOXodproW1+6btzr2sZybhgQ==', 'v1J1ATUmkYv9aSMUHUoEuguDFFgQ4Qy57DWoMfA4wfCfUbiGoWlgSAsc0jvgdtFCOBGMBPi3k82FBKqblVW54g=='
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, Settings.cs	Base64 encoded string: 'yVQkdD30EJaSsep5amR299n7bRng91vK3AJPDwvdf3dc7OLaJQGfpA086VTs1csmpTJbJ7FwuLsVk2Bb7IQpbw==', 'RVpjLLfLT2CrHxW9IBhYkETDl7nCXzQMvMW2vWHlzA3nDB+p/v2ek9jX1J41GCyQDOJq8ecYx1v0i42RF/ErMzbPYq2FGGk7uQlN/yReHvs=', '+6S/baAI1Bu5SAQ7UyLo1Rg2K1749gBskCnAd9pwS14YuLocmyT3WApDgVGJZvl2in5TiSkA/XB2bxqkwnRStg==', 'vWJ8qvJn3ashQTlu8Gfw1OOWS8NED2vKDiYlDe1fZEfGMjjFtSoRDVxWFL8bmsSbto2CToStwkgo8q8iyiUO7w==', 'LzKpZyT8mU+8rq6ikSD+3r8ggezxyL1If/URdRhl30qXfB3vP+Y7cUHfQQ7UwdeOXodproW1+6btzr2sZybhgQ==', 'v1J1ATUmkYv9aSMUHUoEuguDFFgQ4Qy57DWoMfA4wfCfUbiGoWlgSAsc0jvgdtFCOBGMBPi3k82FBKqblVW54g=='
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winSVG@41/146@59/16

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\d500af9e-ea32-45ad-a712-3fc564d29d34.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanFrhG
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\GGP_DO~1.SVG
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1980,i,16360163992895380540,2877974460578698395,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:3
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe "C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe"
Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1980,i,16360163992895380540,2877974460578698395,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior

Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe	Section loaded: libcares-2.dll	Jump to behavior
Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: GGP_DOCUMENTO CITACION AUDIENCIA_GGP.svg

Static file information: File size 6387099 > 1048576

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 16_2_015D2FFC pushad ; retf

16_2_015D2FBE

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1DOC-PROCESO-PDF.exe PID: 3544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3208, type: MEMORYSTR

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1DOC-PROCESO-PDF.exe PID: 3544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3208, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe	Memory allocated: 144527E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 15D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Window / User API: threadDelayed 9866

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4228	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5128	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 976	Thread sleep count: 9866 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195991193.00007FFFDB492000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: InstallUtil.exe, 00000010.00000002.2353267320.000000000567C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2353267320.0000000005689000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2348737511.000000000142E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195189134.0000014452829000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, Amsi.cs	Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)

Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"			Jump to behavior
Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456dabd10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456d9fd61.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.1DOC-PROCESO-PDF.exe.14456c699ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1DOC-PROCESO-PDF.exe PID: 3544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3208, type: MEMORYSTR

Disable Windows Toast Notifications

Source: C:\Users\user\Documents\1DOC-PROCESO-PDF\1DOC-PROCESO-PDF.exe

Registry value created: ToastEnabled 0

Jump to behavior

Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: InstallUtil.exe, 00000010.00000002.2348737511.000000000142E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 1DOC-PROCESO-PDF.exe, 0000000D.00000002.2195287391.0000014456C04000.00000004.00001000.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2347257186.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 00000010.00000002.2349982723.000000000333D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3208, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 00000010.00000002.2349982723.000000000333D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 3208, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	11 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Modify Registry	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	31 Virtualization/Sandbox Evasion	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	24 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Rundll32	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Extra Window Memory Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GGP_DOCUMENTO CITACION AUDIENCIA_GGP.svg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
GGP_DOCUMENTO CITACION AUDIENCIA_GGP.svg